CyberSecurityBoard
Sponsor Register Login

Deceptive Cracked Software Spreads Lumma Variant on YouTube

FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant.
These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly.
NET loader responsible for fetching the final malware, Lumma Stealer.
Lumma Stealer targets sensitive information, including user credentials, system details, browser data, and extensions.
Figure 1 shows Lumma Stealer's C2 server telemetry, illustrating a global presence with a peak observed in December.
Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors malicious content for the next stage of the attack.
The videos were uploaded earlier this year, but the files on the file-sharing site receive regular updates, and the number of downloads keeps growing.
Figure 9 illustrates a portion of the code and the newly generated process.
Figure 10 shows the partial PowerShell code from the private.
The script encodes the server IP address in Base64 and encompasses four servers.
Figure 11 shows captured traffic downloaded from the first server, 176[.]113[.
After receiving the data, the script decrypts it using AES CBC, followed by GZip decompression to obtain the DLL file for the next stage.
It employs several PNG files in the Resources section to decipher the ultimate payload of Lumma Stealer.
Figure 14 demonstrates the function of decoding the target text with a predefined key string.
It then attempts to locate wine get unix file name to determine if Wine is being used in an analysis environment.
Lumma stealer is a type of malware that can steal sensitive information from a user's computer.
The malware establishes communication with a command and control server, facilitating the exchange of instructions and transmitting pilfered data.
Figure 16 shows the method to contact a command and control server.
In this attack, the malicious actor targets YouTube channels to disseminate Lumma Stealer.
The crafted installation ZIP file serves as an effective bait to deliver the payload, exploiting the user's intention to install the application and prompting them to click the installation file without hesitation.


This Cyber News was published on feeds.fortinet.com. Publication date: Mon, 08 Jan 2024 16:43:05 +0000


Cyber News related to Deceptive Cracked Software Spreads Lumma Variant on YouTube

CVE-2021-41769 - A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD89 devices (CPU variant CP300) (All versions < ...
2 years ago
Deceptive Cracked Software Spreads Lumma Variant on YouTube - FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and ...
5 months ago Feeds.fortinet.com
Tax Season Alert: Common scams and cracked software - OpenText is committed to providing you with the latest intelligence and tips to safeguard your digital life, especially during high-risk periods like tax season. Our threat analysts are constantly monitor the ebb and flow of various threats. One ...
4 months ago Webroot.com
Beware Weaponized YouTube Channels Spreading Lumma Stealer - Attackers have been spreading a variant of the Lumma Stealer via YouTube channels that feature content related to cracking popular applications, eluding Web filters by using open source platforms like GitHub and MediaFire instead of proprietary ...
5 months ago Darkreading.com
Addressing Deceptive AI: OpenAI Rival Anthropic Uncovers Difficulties in Correction - There is a possibility that artificial intelligence models can be trained to deceive. According to a new research led by Google-backed AI startup Anthropic, if a model exhibits deceptive behaviour, standard techniques cannot remove the deception and ...
5 months ago Cysecurity.news
Beware! Hackers Use YouTube Channels Deliver Lumma Malware - Hackers use YouTube channels to deliver malware due to the huge user base of the platform. By using YouTube channels, hackers disguise their malicious content as:-. The popularity of YouTube also gives the threat actors the ability to evade general ...
5 months ago Gbhackers.com
Lumma malware can allegedly restore expired Google auth cookies - The Lumma information-stealer malware is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Session cookies are specific web cookies used to allow a browsing ...
7 months ago Bleepingcomputer.com
YouTube Not Working on iPhone? Here's How to Fix It - If the YouTube app on your iPhone is crashing or will not open, there are various fixes you can try, such as force quitting the app, rebooting your device, and updating its version. Restarting your device provides a fresh start and can address minor ...
5 months ago Hackercombat.com
ESET Threat Report: ChatGPT Name Abuses, Lumma Stealer Malware Increases, Android SpinOk SDK Spyware's Prevalence - Cybersecurity company ESET released its H2 2023 threat report, and we're highlighting three particularly interesting topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Stealer malware and the Android SpinOk SDK ...
6 months ago Techrepublic.com
Hijacked: How hacked YouTube channels spread scams and malware - As one of today's most popular social media platforms, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. Thefts of popular YouTube channels up the game further. By extending the reach of the ...
2 days ago Welivesecurity.com
Google to crack down on third-party YouTube apps that block ads - YouTube announced yesterday that third-party applications that block ads while watching YouTube videos violates its Terms of Service, and it will soon start taking action against the apps. Google exposes numerous APIs allowing developers to integrate ...
2 months ago Bleepingcomputer.com
Cracked macOS Software Laced with New Trojan Proxy Malware - Kaspersky recently uncovered the most recent Trojan Proxy malware campaign, revealing that the earliest submission of the payload on VirusTotal can be traced back to April 28, 2023. According to the latest research from cybersecurity researchers at ...
6 months ago Hackread.com
Latest Adblock update causes massive YouTube performance hit - Adblock and Adblock Plus users report performance issues on YouTube, initially blamed on Google but later determined to be an issue in the popular ad-blocking extension. Adblock and Adblock Plus are two ad blockers created by the same developer for ...
5 months ago Bleepingcomputer.com
Trojan Malware Hidden in Cracked macOS Software, Kaspersky Says - Newly discovered cracked applications being distributed by unauthorized websites are delivering Trojan-Proxy malware to macOS users who are looking for free or cheap versions of the software tools they want. The malware can be used by bad actors for ...
6 months ago Securityboulevard.com
What Is Software Piracy? - Software piracy has become a worldwide issue, with China, the United States and India being the top three offenders. In 2022, 6.2% of people worldwide visited software piracy websites. Software piracy doesn't require a hacker or skilled coder. Any ...
6 months ago Pandasecurity.com
macOS Malware Campaign Showcases Novel Delivery Technique - Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users. What makes the campaign different from numerous others that have employed a similar ...
5 months ago Darkreading.com
Cops dismantled LockBit before latest variant hit market The Register - Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals. As part of the daily LockBit leaks this week, Trend Micro's report on the group, ...
4 months ago Go.theregister.com
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts - Session cookies are a special type of browser cookie that contains authentication information, allowing a person to automatically log in to websites and services without entering their credentials. These types of cookies are meant to have a limited ...
6 months ago Bleepingcomputer.com
The Crucial Need for a Secure Software Development Lifecycle in Today's Digital Landscape - In today's increasingly digital world, software is the backbone of business operations, from customer-facing applications to internal processes. The rapid growth of software development has also made organizations more vulnerable to security threats. ...
5 months ago Cyberdefensemagazine.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
5 months ago Cysecurity.news
YouTube stops recommending videos when signed out of Google - YouTube is no longer showing recommended videos to users logged out of a Google account or using Incognito mode, making people concerned they are being bullied into always being signed into the service. This change, which is now rolling out, shows a ...
3 months ago Bleepingcomputer.com
Cracked macOS apps drain wallets using scripts fetched from DNS records - Hackers are using a stealthy method to deliver to macOS users information-stealing malware through DNS records that hide malicious scripts. The campaign appears directed at users of macOS Ventura and later and relies on cracked applications ...
5 months ago Bleepingcomputer.com
Pro-China campaign targeted YouTube with AI avatars The Register - Think tank Australian Strategic Policy Institute last week published details of a campaign that spreads English language pro-China and anti-US narratives on YouTube. The campaign, which ASPI calls Shadow Play, includes 30 YouTube channels that have ...
6 months ago Go.theregister.com
CVE-2021-25668 - A vulnerability has been identified in SCALANCE X200-4P IRT (All versions < 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions < 5.5.1), SCALANCE X202-2P ...
2 years ago
CVE-2021-25669 - A vulnerability has been identified in SCALANCE X200-4P IRT (All versions < 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions < 5.5.1), SCALANCE X202-2P ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)