In a recent discovery, FortiGuard Labs researchers have unveiled a sophisticated cyber threat exploiting YouTube channels as a vector for spreading the Lumma Stealer. This malicious campaign strategically compromises legitimate YouTube accounts to disseminate videos posing as cracked software for popular video editing tools like Vegas Pro.
Malicious Tactics Unveiled
The modus operandi involves these devious videos embedding malicious URLs, tempting users to download a seemingly innocent ZIP file named ‘installer_Full_Version_V.1f2.zip.’ Little do victims know that initiating this download sets off a multi-stage attack culminating in the execution of a .NET loader from a GitHub repository, ultimately delivering the info-stealer in its final stage.
The .NET loader, camouflaged with SmartAssembly, employs sophisticated techniques to evade detection, leveraging PowerShell discreetly. Techniques such as RedirectStandardInput, CreateNoWindow, and UseShellExecute are utilized to mask its activities, preventing suspicion from its unsuspecting victims. Researchers observed that although the videos were uploaded last year, regular updates to the ZIP files allowed the threat group to persist undetected while effectively spreading the malware.
Lumma Stealer Variant and Underground Forums
The Lumma Stealer variant involved in this insidious campaign is coded in the C language and is available for purchase on underground forums. This particular info-stealer is notorious for extracting sensitive information from victims’ systems, including data from browsers, crypto wallets, and browser extensions.
YouTube’s Vulnerability to Cyber Threats
Over the years, YouTube, a Google-owned platform, has become a prime target for cybercriminals. The platform witnessed a surge in major malware infections and crypto-related scams in the past year alone. Notable instances include threat actors employing fake Android apps, mimicking popular services like YouTube, Netflix, and Instagram, to distribute the DogeRAT malware.
In another incident, a stealthy loader known as in2al5d p3in4er was distributed through YouTube videos, facilitating the delivery of the Aurora infostealer onto victims’ systems.
Cautionary Measures for YouTube Users
As YouTube continues to be a lucrative haven for attackers, users are urged to exercise caution when downloading software installers. It is crucial to adhere to a rule of thumb: only download applications and software from trusted sources to mitigate the risk of falling victim to these insidious cyber threats.
In conclusion, this latest Lumma Stealer campaign underscores the evolving tactics of cybercriminals who exploit popular platforms to disseminate malware. Staying vigilant and adopting secure downloading practices are essential in safeguarding against these digital menaces lurking in the shadows of seemingly harmless videos on YouTube
Thanks &Regards: Ashwini kamble