Menace actors more and more make the most of YouTube to distribute data stealer malware (infostealers) by appropriating reliable channels in addition to utilizing their very own video channels.
In a brand new report, the AhnLab Safety Intelligence Middle (ASEC) discovered a rising variety of instances wherein malicious actors steal well-known YouTube channels and repurpose them to distribute infostealers like Vidar and LummaC2.
In one of many instances, the focused channel had greater than 800,000 subscribers.
Shifting to Goal Reliable YouTube Channels
Menace actors have lengthy used YouTube for infostealer distribution functions. Usually, they create a brand new, seemingly reliable channel and fix malware obtain hyperlinks to their movies.
Nonetheless, this technique has not proved very environment friendly since these channels often fail to draw many subscribers.
In Could 2023, risk actors used a more practical technique to distribute the RecordBreaker stealer by importing and distributing malware by way of a channel with greater than 100,000 subscribers.
“These days, there are an increasing number of assault instances utilizing this technique. The focused YouTube channels ranged from singers and influencers to channels associated to sports activities, religions, and animations,” ASEC researchers famous.
Leveraging Reliable Software program Cracking Channels
In all instances found by ASEC, a obtain hyperlink was added within the description or the remark part of a video concerning the cracked model of a traditional program reminiscent of Adobe.
The malware recordsdata are uploaded to MediaFire and compressed with password safety, a step taken by the risk actors to evade detection by safety options.
When the compressed recordsdata are decompressed, malware strains disguised as installers are discovered.
Vidar and LummaC2 Distribution
Menace actors had been distributing two totally different infostealers, Vidar and LummaC2, within the instances analyzed by ASEC.
Vidar is an infostealer that first appeared in 2018 as a fork from the Arkei malware. It was not too long ago used within the November 2023 social engineering marketing campaign concentrating on Reserving.com.
LummaC2 is a more moderen infostealer, first found in 2022. Lumma usually targets two-factor authentication (2FA) and multifactor authentication (MFA) by stealing codes from apps like Authy. In November 2023, it was reported that Lumma advanced to combine new anti-sandbox options.
These malware strains gather and steal varied person data saved inside contaminated methods and may obtain and set up further malware.
Infostealers like Vidar and Lumma are often developed by one particular risk actor after which made public to the entire cybercrime neighborhood in order that different risk actors can use it – a mannequin referred to as malware-as-a-service (MaaS).
