{"id":18888,"date":"2024-01-09T18:02:55","date_gmt":"2024-01-09T18:02:55","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=18888"},"modified":"2024-04-15T17:01:13","modified_gmt":"2024-04-15T17:01:13","slug":"youtube-videos-cracks-lumma-stealer","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/youtube-videos-cracks-lumma-stealer\/","title":{"rendered":"YouTube Videos Promote Software Cracks With Lumma Stealer"},"content":{"rendered":"

Researchers have discovered a cybersecurity threat that targets users through YouTube videos. These videos offer pirated software but are being used to distribute malware<\/strong>, specifically Lumma stealer.<\/p>\n

YouTube Videos Promoting Malware<\/h2>\n

Concerning a development in the cybersecurity world, researchers have identified a new threat<\/a> targeting freeloaders via YouTube videos. These videos are seemingly harmless and offer cracked versions of popular software<\/strong>. But as it turns out, these videos distribute a potent malware<\/strong> known as Lumma Stealer.<\/p>\n

\"Video
Video offering to download hacked Sony Vegas<\/figcaption><\/figure>\n

Besides being published some time ago, the video keeps gaining popularity. As researchers say, the file offered on the video as a cracked program<\/a> is getting updated, meaning that hackers could have started spreading malicious payloads only after the video became popular<\/strong>. Also, such an approach opens the ability to spread effectively any malware, with Lumma being a firstling.<\/p>\n

The Attack Chain<\/h2>\n

The attack begins innocently, with users searching for cracked versions of popular software<\/a> like Vegas Pro. A link in the video description tempts the user, leading to a bogus installer<\/strong> hosted on a service like MediaFire. But the real danger lies within. The unpacked ZIP installer contains a Windows shortcut masquerading as a setup file<\/strong>.<\/p>\n

In fact, the \u201csetup\u201d is a .lnk file that runs a PowerShell script<\/a>. Then, things happen as in the textbook: the script downloads and runs the payload from a GitHub repository<\/strong>. The latter is chosen as a source for malware with firewall circumvention in mind.<\/p>\n

\"Illustrative
Illustrative diagram of the attack process<\/figcaption><\/figure>\n

What is Lumma Stealer?<\/h2>\n

Lumma Stealer<\/a> is an information-stealing malware written in C language. It has been available on Russian-speaking forums since August 2022 through a Malware-as-a-Service (MaaS) model<\/strong>. The threat actor behind this malware is believed to be “Shamel”, who operates under the alias “Lumma”. The primary targets of Lumma Stealer are cryptocurrency wallets and two-factor authentication (2FA) browser extensions<\/strong>.<\/p>\n

Once the malware infiltrates the victim’s machine, it steals sensitive information. It exfiltrates it to a C2 server via HTTP POST requests using the user agent “TeslaBrowser\/5.5”<\/strong>. Along with these features, the malware also has a non-resident loader capable of delivering additional payloads through EXE, DLL, and PowerShell<\/strong>.<\/p>\n

The Lumma Stealer has a starting price of $250 per month<\/strong> on underground forums. The lowest plan allows users to view and upload logs and access log analysis tools. On the other hand, the most expensive plan costs US$20,000 and gives users access to the source code<\/strong>. It also grants them the right to sell the infostealer.<\/p>\n

How to stay protected?<\/h2>\n

First, we recommend that you refrain from downloading and using pirated software. This applies both to downloading from torrents<\/a> and other sources. It is illegal for both home users and especially corporations<\/strong> and the risks \u2013 well, you may see them above. Still, you can enhance your protection against malware like Lumma Stealer by following tips:<\/p>\n