Hackers are once again using YouTube to lure people into downloading infostealers and other malware, experts have warned.
This time around, researchers from Fortinet FortiGuard Labs found a new campaign looking to distribute the Lumma stealer. As per the report, researcher Cara Lin discovered multiple YouTube videos demonstrating how to install cracked commercial software, such as Vegas Pro. The videos are fake, and in their description is a shortened url (usually via TinyURL and Cuttly) claiming to offer the software from the video, for free.
However, those who download and run the software will only get a variant of the Lumma infostealer, a known piece of malware capable of grabbing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription fee ranging between $250 and $1,000.
Reviving cookies
In its analysis November, researchers from Outpost24 found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to operate next to most Antivirus or endpoint protection services. These techniques include control flow flattening obfuscation, humanmouse activity detection, XOR encrypted strings, support for dynamic configuration files, and enforcement of crypto use on all builds.
Furthermore, Lumma was recently observed being able to restore expired Google cookies, which can then be used to access the victim’s Google account. Lumma’s developers further explained that every session cookie can be used no more than two times, meaning that it can only be restored once. That, however, is more than enough to mount a devastating attack against any organization.
Google was quick to respond, as soon after news of the feature broke out, Lumma released a new version that bypasses “newly introduced” restrictions set up by Google. So it’s safe to assume that right now, it’s a bit of a backandforth between Google and Lumma.
Via TheHackerNews