Beware! Lumma Stealer Cracked Software Distributor YouTube Videos
Threat actors are using YouTube videos with content linked to cracked software to attract consumers to download Lumma, an information stealer malware.
"These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides, and incorporating malicious URLs often shortened using services like TinyURL and Cuttly," noted Fortinet FortiGuard Labs researcher Cara Lin in a Monday investigation.
This isn't the first time that unlicensed software videos on YouTube have been used as a bait for stealer malware. Previously, similar attack networks delivering stealers, cutters, and crypto miner malware were detected.
Threat actors can then use the compromised workstations to steal information and cryptocurrency, as well as use the resources for illicit mining.
Users seeking for cracked versions of real video editing software like Vegas Pro on YouTube are asked to click on a link included in the video's description, which leads to the download of a fraudulent installer housed on MediaFire.
Once unpacked, the ZIP installer contains a Windows shortcut (LNK) disguised as a setup file that downloads a.NET loader from a GitHub repository before loading the stealer payload, but not before conducting a series of anti-virtual machine and anti-debugging checks.
Lumma Stealer, a C-based program that has been available for purchase on underground forums since late 2022, is capable of capturing and exfiltrating sensitive data to an actor-controlled server.
Bitdefender recently issued a warning about YouTube stream-jacking attacks, in which hackers take over high-profile accounts using phishing operations that use the RedLine Stealer malware to steal their credentials and session cookies, and then push other crypto frauds.
It also comes on the heels of the discovery of an 11-month-old AsyncRAT campaign, which uses phishing lures to download an obfuscated JavaScript file, which is then used to drop the remote access trojan.
"The victims and their companies are carefully selected to broaden the impact of the campaign," stated AT&T Alien Labs researcher Fernando Martinez. "Some of the identified targets manage key infrastructure in the U.S."
Source: The Hacker News
