Go to listing page

Researchers Disclose New Lumma Stealer Campaign Distributed via YouTube

Researchers Disclose New Lumma Stealer Campaign Distributed via YouTube
FortiGuard Labs researchers recently encountered a new Lumma Stealer campaign that leverages YouTube channels for propagation. The attackers are strategically compromising YouTube accounts and uploading videos that pretend to offer cracked software for legitimate video editing tools such as Vegas Pro.

Modus operandi

  • According to researchers, these videos contain embedded malicious URLs, enticing users to download a ZIP file named ‘installer_Full_Version_V.1f2.zip.’
  • Upon downloading the ZIP file, victims unknowingly initiate a multi-stage attack that ultimately results in the execution of a .NET loader from a GitHub repository and the info-stealer in the final stage. 
  • The .NET loader, obfuscated with SmartAssembly, employs advanced techniques to evade detection. 
  • The malware leverages PowerShell to run discreetly and employs properties such as RedirectStandardInput, CreateNoWindow, and UseShellExecute to avoid raising suspicion from its victims.

Researchers noted that the videos were uploaded last year but the ZIP files received regular updates, enabling the threat group to stay under the radar while effectively spreading the malware.

What else?

  • The Lumma Stealer variant used in the campaign is written in C language and is sold on underground forums. 
  • The info-stealer is known to exfiltrate sensitive information from the victims’ systems, including browsers, crypto wallets, and browser extensions. 

YouTube: A lucrative haven for attackers

Over the years, the Google-owned site has witnessed a surge in major malware infections and crypto-related scams. To cite a few instances from last year:
Threat actors leveraged fake Android apps, such as YouTube, Netflix, and Instagram to infect users with a new malware, named DogeRAT.
In another instance, a sneaky loader called in2al5d p3in4er was distributed via YouTube videos to deliver Aurora infostealer onto the victims’ systems.

Closing thought

If you are on YouTube, exercise caution when downloading installers for software applications. As a rule of thumb, it is recommended to download apps/software from trusted sources.
Cyware Publisher

Publisher

Cyware