Researchers have discovered a cybersecurity threat that targets users through YouTube videos. These videos offer pirated software but are being used to distribute malware, specifically Lumma stealer.
YouTube Videos Promoting Malware
Concerning a development in the cybersecurity world, researchers have identified a new threat targeting freeloaders via YouTube videos. These videos are seemingly harmless and offer cracked versions of popular software. But as it turns out, these videos distribute a potent malware known as Lumma Stealer.
Besides being published some time ago, the video keeps gaining popularity. As researchers say, the file offered on the video as a cracked program is getting updated, meaning that hackers could have started spreading malicious payloads only after the video became popular. Also, such an approach opens the ability to spread effectively any malware, with Lumma being a firstling.
The Attack Chain
The attack begins innocently, with users searching for cracked versions of popular software like Vegas Pro. A link in the video description tempts the user, leading to a bogus installer hosted on a service like MediaFire. But the real danger lies within. The unpacked ZIP installer contains a Windows shortcut masquerading as a setup file.
In fact, the “setup” is a .lnk file that runs a PowerShell script. Then, things happen as in the textbook: the script downloads and runs the payload from a GitHub repository. The latter is chosen as a source for malware with firewall circumvention in mind.
What is Lumma Stealer?
Lumma Stealer is an information-stealing malware written in C language. It has been available on Russian-speaking forums since August 2022 through a Malware-as-a-Service (MaaS) model. The threat actor behind this malware is believed to be “Shamel”, who operates under the alias “Lumma”. The primary targets of Lumma Stealer are cryptocurrency wallets and two-factor authentication (2FA) browser extensions.
Once the malware infiltrates the victim’s machine, it steals sensitive information. It exfiltrates it to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5”. Along with these features, the malware also has a non-resident loader capable of delivering additional payloads through EXE, DLL, and PowerShell.
The Lumma Stealer has a starting price of $250 per month on underground forums. The lowest plan allows users to view and upload logs and access log analysis tools. On the other hand, the most expensive plan costs US$20,000 and gives users access to the source code. It also grants them the right to sell the infostealer.
How to stay protected?
First, we recommend that you refrain from downloading and using pirated software. This applies both to downloading from torrents and other sources. It is illegal for both home users and especially corporations and the risks – well, you may see them above. Still, you can enhance your protection against malware like Lumma Stealer by following tips:
- Avoid shady software spreading websites. Regardless of what kind of software they spread, the chance of getting infected by using one is noticeably higher. Seek a more reliable source – it will save you both time and money. To verify whether the site is legit and trustworthy, consider using GridinSoft Free Online Virus Checker.
- Don’t click on suspicious links. Similarly to the previous advice, be cautious with links, especially in emails, social media messages, or websites. Cybercriminals often rely on human curiosity to spread malware.
- Use anti-malware protection. A reliable anti-malware program and ensure it’s always up-to-date. It can detect threats before they harm your system. GridinSoft Anti-Malware is a security solution you can rely on.