FortiGuard Labs researchers recently encountered a new Lumma Stealer campaign that leverages YouTube channels for propagation. The attackers are strategically compromising YouTube accounts and uploading videos that pretend to offer cracked software for legitimate video editing tools such as Vegas Pro.

Modus operandi

• According to researchers, these videos contain embedded malicious URLs, enticing users to download a ZIP file named ‘installer_Full_Version_V.1f2.zip.’
• Upon downloading the ZIP file, victims unknowingly initiate a multi-stage attack that ultimately results in the execution of a .NET loader from a GitHub repository and the info-stealer in the final stage. 
• The .NET loader, obfuscated with SmartAssembly, employs advanced techniques to evade detection. 
• The malware leverages PowerShell to run discreetly and employs properties such as RedirectStandardInput, CreateNoWindow, and UseShellExecute to avoid raising suspicion from its victims.

Researchers noted that the videos were uploaded last year but the ZIP files received regular updates, enabling the threat group to stay under the radar while effectively spreading the malware.

What else?

• The Lumma Stealer variant used in the campaign is written in C language and is sold on underground forums. 
• The info-stealer is known to exfiltrate sensitive information from the victims’ systems, including browsers, crypto wallets, and browser extensions. 

YouTube: A lucrative haven for attackers

Over the years, the Google-owned site has witnessed a surge in major malware infections and crypto-related scams. To cite a few instances from last year:

Closing thought

If you are on YouTube, exercise caution when downloading installers for software applications. As a rule of thumb, it is recommended to download apps/software from trusted sources.