YouTube videos have been used as a means to proliferate the Lumma Stealer malware, which specifically targets cryptocurrency wallets and browser extensions to pilfer valuable data. Fortinet, a cybersecurity firm based in California, recently uncovered this discovery.
The researchers behind the report explain that the hackers employ a method where they breach a YouTube account to upload bogus videos featuring installation guides for cracked software. The descriptions accompanying these videos contain a harmful link, which entices users to download a ZIP file.
Additionally, to prevent being blocked by simple web filter blacklists, attackers employ platforms such as GitHub and MediaFire, which are open-source, as opposed to creating their malicious servers. Likewise, services like TinyURL and Cuttly are often engaged to shorten the URLs. When users click on the provided links, they are directed to download a new private .NET loader that is responsible for conveying the Lumma Stealer malware.
This malware, previously referred to as LummaC2 Stealer works on a subscription-based model and is capable of seizing sensitive information from the victim's device.
Its preliminary focus is on cryptocurrency wallets and two-factor authentication (2FA) browser extensions, with the greatest intent of thieving sensitive data from the device. However, Lumma Stealer is coded in the C language and has been available through a malware-as-a-service (MaaS) model on underground forums and a Telegram channel since 2022. Its price ranges from $140 to $160 per month. The malware was developed by "Shamel," a threat actor who goes by the name "Lumma."