HQ/EMEAFind out how we can help your business
A new Lumma Stealer campaign uses various YouTube channels to propagate and infect numerous targets. The attackers behind this campaign are strategically compromising YouTube accounts and uploading videos that offer cracked and pirated software for popular video editing tools such as Vegas Pro.
Moreover, these attacker-endorsed videos contain embedded malicious URLs that could prompt users into downloading a ZIP file named ‘installer_Full_Version_V.1f2.zip.’
Upon downloading the ZIP file, victims unknowingly start a multi-stage attack process that ultimately leads to executing a .NET loader from a GitHub repository and the infostealer in the final stage.
Subsequently, the .NET loader, obfuscated with SmartAssembly, employs advanced techniques to bypass security and detection mechanisms. The malware leverages PowerShell to run discreetly and uses properties such as RedirectStandardInput, CreateNoWindow, and UseShellExecute to avoid raising suspicion from its targeted entities.
The Lumma Stealer operators constantly updated the ZIP files in the YouTube videos despite uploading them almost a year ago.
According to investigations, the Lumma Stealer operators uploaded the YouTube videos last year. However, they regularly update the ZIP files, which allows them to remain under the radar while effectively spreading the malware.
The Lumma Stealer variant used by the attackers in this campaign is written in C language and is sold on underground forums. This infostealer could exfiltrate sensitive information from victims’ systems, including browsers, crypto wallets, and browser extensions.
YouTube has become a lucrative platform for threat actors over the years. In 2020 alone, major malware infections and crypto-related scams have landed on this platform. For instance, threat actors leveraged fake Android apps such as YouTube, Netflix, and Instagram to infect users with a new malware called DogeRAT. In another scenario, an elusive loader called ‘in2al5d p3in4er’ spread through YouTube videos and delivered the Aurora infostealer onto victims’ systems.
As a precautionary measure, users should exercise caution when downloading installers for software applications from YouTube. It is advisable to download apps or software solutions from trusted sources only.
With cybercriminals becoming increasingly creative and sophisticated with their strategies, it is essential to remain vigilant and remain updated with the latest security threats and best practices to thwart them.
