Threat actors are now using YouTube videos featuring content related to cracked software as a means to lure users into downloading Lumma, an information-stealing malware, according to a recent analysis by Fortinet FortiGuard Labs researcher Cara Lin. These YouTube videos often showcase content associated with cracked applications and provide users with installation guides, incorporating malicious URLs that are frequently shortened using services like TinyURL and Cuttly.
This tactic is not new, as previously observed attack chains on YouTube delivered various types of malware, including stealers, clippers, and crypto miners. By employing this method, threat actors can exploit compromised machines for information and cryptocurrency theft, as well as unauthorized mining.
In the most recent attack documented by Fortinet, users searching for cracked versions of legitimate video editing tools, such as Vegas Pro, on YouTube are encouraged to click on a link in the video’s description. This link leads to the download of a deceptive installer hosted on MediaFire. Once unpacked, the ZIP installer contains a Windows shortcut (LNK) posing as a setup file. This shortcut downloads a .NET loader from a GitHub repository, which then loads the Lumma Stealer payload after performing anti-virtual machine and anti-debugging checks.
Lumma Stealer, written in C and available for sale on underground forums since late 2022, is capable of harvesting and exfiltrating sensitive data to a server controlled by the threat actor.
This development coincides with Bitdefender’s warning about stream-jacking attacks on YouTube, where cybercriminals hijack high-profile accounts through phishing attacks. These attacks deploy the RedLine Stealer malware to extract credentials and session cookies, ultimately promoting various crypto scams.
Additionally, an 11-month-old AsyncRAT campaign has been discovered, utilizing phishing lures to download an obfuscated JavaScript file. This file is then used to deploy a remote access trojan. AT&T Alien Labs researcher Fernando Martinez noted that the campaign carefully selects victims and their companies to amplify its impact, with some identified targets managing key infrastructure in the U.S.
CyberSec84 | Cybersecurity news. 
Leave a comment