If you’re on YouTube, exercise caution due to the ongoing Lumma Stealer campaign, where threat actors hack channels and upload videos that masquerade as legitimate cracked software sharing.
The cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a new wave of cyber threats as malicious threat actors leverage YouTube channels to spread the notorious Lumma Stealer through cracked software.
The malware campaigns investigated by researchers involve YouTube videos disguising content related to cracked applications, leading users to installation guides with hidden malicious URLs.
What sets this apart is the attackers’ evasion technique, utilizing open-source platforms like GitHub and MediaFire, a file-sharing and cloud storage service, to avoid traditional web filter blacklists.
The specially crafted installation ZIP files act as effective baits, exploiting users’ intentions to install applications and prompting them to click on the malicious files without suspicion. The attackers employ a private .NET loader equipped with environment checks, anti-virtual machine measures, and anti-debugging functions.
Lumma Stealer, a well-known threat targeting sensitive information such as user credentials, system details, browser data, and extensions, has been actively promoted on the dark web and Telegram channels since 2022. The malware’s global presence is evident, with a peak observed in December.
In their blog post research shared with Hackread.com ahead of publication on Tuesday, FortiGuard Labs detailed the complex stages of the attack, digging deeper into the tactics employed by the threat group.
The modus operandi of the malware campaign involves attackers compromising a YouTuber’s account and uploading videos that appear as legitimate cracked software sharing.
In the next step, unsuspecting users are lured to download a ZIP file from file-sharing sites, which carries malicious content for the next stages of the attack. Regular updates to these files suggest that attackers are continuously revising their methods to spread malware effectively.
It is worth noting that the also campaign involves the use of a private .NET loader meaning, a kind of hidden tool which creates a special set of instructions to make sure it runs code without getting detected. This script, in turn, connects to GitHub repositories and downloads encrypted binary data from servers chosen based on system date evaluation.
Further, the DLL file, responsible for decoding Lumma Stealer’s payload, engages in extensive environment checks to evade analysis. This includes anti-VM and anti-debugging measures, as well as scrutiny for virtualization platforms and sandbox environments – Simply put: Lumma Stealer comes with capabilities which let it evade detection from anti-malware solutions.
In the new campaign, once Lumma Stealer infects the device, it proceeds to seek the victim’s browser data. It steals various types of information, such as login credentials, personal details, financial information, and cryptocurrency funds by accessing crypto wallets. Additionally, it targets other data, including browser extensions.
YouTube, renowned as a great entertainment platform, has unfortunately also become a lucrative haven for cybercriminals. Over the years, the Google-owned site has witnessed a surge in major malware infections and crypto-related scams.
In October 2023, researchers reported a new threat known as Stream-Jacking, a tactic aimed at spreading Redline malware during live streams to steal cryptocurrency funds. The severity of the situation becomes apparent when considering that, in 2020, Google took action by deleting two million channels and 51 million videos due to the escalating prevalence of malware and cryptocurrency-related scams.
Nevertheless, as threat actors continue to equip Lumma Stealer with new malicious capabilities, users are urged to be on the lookout, particularly when dealing with applications from unclear sources, ensuring the use of legitimate applications and software from reputable and secure origins.
RELATED ARTICLES
- YouTube Takes on Ad Blockers with Warning Pop-Ups
- YouTube phishing scam using authentic email address
- Fake YouTube Android Apps Used to Distribute CapraRAT
- “Get Paid to Like Videos”? YouTube Scam Leads to Empty Wallets
- Popular YouTuber Scuba Jake’s channel hacked to run crypto scam
- Google details cookie stealer malware campaign targeting YouTubers