In a concerning trend, threat actors are resorting to deceptive tactics to distribute Lumma, a malicious information-stealing software. Their latest approach involves leveraging YouTube videos that ostensibly endorse cracked software, tricking unsuspecting users into downloading the malware.
“These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly,” (Cara Lin, Fortinet FortiGuard Labs, Monday analysis) noted.
There is a notable history of YouTube videos promoting software piracy, acting as a magnet for malware stealers. In the past, there have been instances of attack chains disseminating crypto miners’ malware, clippers, and stealers.
Through compromising these systems, malicious actors gain the ability to steal cryptocurrency, extract sensitive data, and engage in illegal mining using the compromised resources.
The latest attack sequence unearthed by Fortinet revolves around deceiving YouTube users seeking cracked versions of legitimate video editing software such as Vegas Pro. In this scheme, users unwittingly download a counterfeit installer hosted on MediaFire.
Upon extraction, the installer reveals a Windows shortcut (LNK) masquerading as a setup file. This LNK file initiates the download of a.NET loader from a GitHub repository, subsequently loading the Lumma Stealer payload. To further evade detection, the malware conducts repetitive anti-virtual machine and anti-debugging checks.
The C program Lumma Stealer has been available for purchase on dark web forums since late 2022, posing a significant threat as it is designed to steal crucial information and transmit it to a server under the control of malicious actors.
This revelation follows a warning from Bitdefender regarding stream-jacking assaults on YouTube. In these attacks, hackers employ phishing techniques to gain access to popular accounts, installing the RedLine Stealer malware. This malware is used to extract session cookies and passwords, subsequently exploited to propagate various cryptocurrency frauds.
This revelation comes on the heels of the discovery of an active AsyncRAT campaign spanning 11 months. Employing phishing lures, the campaign orchestrates the download of an obfuscated JavaScript file, subsequently deploying the remote access trojan.
“The victims and their companies are carefully selected to broaden the impact of the campaign,” Fernando Martinez, a researcher at AT&T Alien Labs, stated. “Some of the identified targets manage key infrastructure in the U.S.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.