FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. Analysts found and reported on a similar attack method via YouTube in March 2023. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly. To circumvent straightforward web filter blacklists, the attackers exploit open-source platforms like GitHub and MediaFire instead of deploying their malicious servers. In this case, the shared links lead to the direct download of a new private .NET loader responsible for fetching the final malware, Lumma Stealer.[1]
Link to full report: IR-24-008-001_LummaStealer.pdf
[1] https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube?lctg=141970831
Comments