Hackers are once again using YouTube to trick people into downloading infostealers and other malware, experts warn.
This time, researchers from Fortinet FortiGuard Labs have found a new campaign to spread the Lumma theft. According to the report, researcher Cara Lin discovered multiple YouTube videos demonstrating how to install cracked commercial software such as Vegas Pro. The videos are fake and in their description there is a shortened URL (usually via TinyURL and Cuttly) that claims to offer the software featured in the video for free.
However, those who download and run the software will only get a variant of the Lumma infostealer, a known piece of malware that can obtain passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Lumma is offered as a service, for a subscription price ranging between $250 and $1,000.
Breathing new life into cookies
In their November analysis, researchers at Outpost24 found that Lumma’s fourth version comes with a number of new evasion techniques, allowing it to work alongside most antivirus or endpoint protection services. These techniques include control flow smoothing, human-mouse activity detection, XOR encoded strings, support for dynamic configuration files, and crypto usage enforcement on all builds.
Furthermore, it was recently observed that Lumma was able to recover expired Google cookies, which could then be used to access the victim’s Google account. Lumma’s developers further explained that each session cookie cannot be used more than twice, meaning it can only be recovered once. However, that is more than enough to launch a devastating attack on any organization.
Google responded quickly, as soon as news of the feature broke, Lumma released a new version that bypassed Google’s “newly introduced” restrictions. So it’s safe to assume there’s a bit of a back and forth between Google and Lumma at the moment.
Through The HackerNews