January 9, 2024 at 10:41AM
Attackers are distributing Lumma Stealer through YouTube channels featuring cracked application tutorials, using open source platforms to bypass web filters. The malware targets sensitive user information and is spread through malicious URLs in YouTube descriptions. Fortinet researchers outlined the attack process and advised caution regarding application downloads to avoid malware exposure.
From the meeting notes, it is clear that attackers have been spreading a variant of the Lumma Stealer through YouTube channels that feature content related to cracking popular applications. They are eluding web filters by using open source platforms like GitHub and MediaFire to distribute the malware. Researchers at FortiGuard noted that the campaign is similar to an attack discovered last March that used AI to spread step-by-step tutorials for installing programs like Photoshop and Autodesk 3ds Max without a license.
The YouTube videos feature content related to cracked applications and contain malicious URLs often shortened using services like TinyURL and Cuttly. These links lead to the direct download of a new, private .NET loader responsible for fetching the final malware, Lumma Stealer.
Lumma Stealer targets sensitive information such as user credentials, system details, browser data, and extensions. It has been featured on the Dark Web and a Telegram channel since 2022, with more than a dozen command-and-control servers in the wild and multiple updates.
The attack starts with a hacker breaching a YouTube account and uploading videos purporting to share tips on cracked software, accompanied by descriptions with embedded malicious URLs. The videos invite users to download a .ZIP file that includes malicious content. The .ZIP file includes an .LNK file that calls PowerShell to download a .NET execution file via GitHub repositories, ultimately leading to the spread of Lumma as the final payload.
The .NET loader is obfuscated using SmartAssembly, a legitimate obfuscation tool. It launches the PowerShell process, which ultimately invokes a DLL file for the next stage of the attack, scanning its environment using various techniques to evade detection. Once launched, Lumma communicates with the command-and-control server and sets up a connection to send compressed stolen data back to attackers.
Fortinet included a list of indicators of compromise (IoCs) in the post and advised exercising caution regarding “unclear application sources.” They recommended ensuring applications come from reputable and secure origins and providing employees with basic cybersecurity training to promote situational awareness about the current threat landscape.
In summary, the Lumma Stealer attack involves the spreading of malware through YouTube channels featuring content related to cracked applications, leading users to download a .ZIP file that includes malicious content. It is important to exercise caution when downloading applications and provide basic cybersecurity training to employees to avoid downloading malicious files.