Look after! YouTube videos promoting cracked software distribute Lumma Stealer

Lumma Stealer

Threat actors are resorting to YouTube videos with content related to cracked software to trick users into downloading an information-stealing malware called Lumma.

“These YouTube videos typically contain content related to cracked applications, present users with similar installation guides, and include malicious URLs often abbreviated with services such as TinyURL and Cuttly,” said Cara Lin, researcher at Fortinet FortiGuard Labs. said in a Monday analysis.

This isn’t the first time that pirated software videos on YouTube have provided effective bait for stealer malware. Previously, there were similar attack chains noticed delivering stealers, clippers and cryptominer malware.

By doing this, threat actors can not only use the compromised machines for information and cryptocurrency theft, but also misuse the resources for illegal mining.

In the latest attack series documented by Fortinet, users searching for cracked versions of legitimate video editing tools such as Vegas Pro on YouTube are prompted to click a link in the video description, leading to the download of a fake installer hosted on MediaFire.

Lumma Stealer

The ZIP installer, once unzipped, features a Windows shortcut (LNK) that masquerades as an installation file that downloads a .NET loader from a GitHub repository, which in turn loads the stealer payload, but not before a series of anti-virtual actions has been carried out. machine and anti-debugging controls.

Written in C and offered for sale on underground forums since late 2022, Lumma Stealer is capable of collecting sensitive data and exfiltrating it to an actor-controlled server.

The development comes as Bitdefender warned from stream-jacking attacks on YouTube where cybercriminals take over high-profile accounts through phishing attacks that leverage the RedLine Stealer malware to siphon their login credentials and session cookies, ultimately promoting various crypto frauds.

It also follows the discovery of an eleven-month-old AsyncRAT campaign that uses phishing lures to download an obfuscated JavaScript file that is then used to remove the remote access trojan.

“The victims and their companies were carefully selected to maximize the impact of the campaign,” said AT&T Alien Labs researcher Fernando Martinez. said. “Some of the identified targets operate key infrastructure in the US”


#YouTube #videos #promoting #cracked #software #distribute #Lumma #Stealer

Notify of
Inline Feedbacks
View all comments
Previous Post
QNAP and Kyocera Device Manager

New vulnerabilities discovered in QNAP and Kyocera Device Manager

Next Post
Silver RAT to Cybercriminals

Syrian hackers spread stealthy C#-based Silver RAT to cybercriminals

Related Posts