Skip to content

Hacked YouTube accounts are spreading info stealers to thousands

  • by
  • 3 min read

Cybercriminals are using YouTube to distribute infostealers such as Vidar Infostealer and LummaC2. They steal well-known YouTube channels with an established base of hundreds of thousands of followers, thereby posing a significant risk to millions of users globally.

We have reported multiple instances where threat actors have used YouTube as a medium of malware distribution aiming at gamers, individuals seeking a cracked version of the software or inflating view counts.

One of the hacked YouTube channels with more than 800,00 subscribers showcased the vast nature of these campaigns.

Researchers discovered that earlier, the threat actors used to create a YouTube account to lure victims into clicking on a malicious link and downloading the malware. However, this process may take quite a while as it takes time to establish a subscriber base.

So, these cybercriminals started hacking established YouTube channels and luring the subscriber base instead. This allowed the hackers to substantially increase the chances of getting clicks while devoting no time to growing the channel. Secondly, YouTube allows content creators to attach a downloadable link.

Hackers use these links to promote malware. To lure the victims, they use different baits such as cracked software, games, game hacks, keygens, and other things that usually are behind a paywall.

Source: ASEC

As the name suggests, information stealers are malware designed to steal critical information from a victim’s device. This information may include login, personal identification, or financial details.

Researchers discovered that both malware were uploaded on the Mediafire cloud server and are password protected. The malicious files were also compressed to evade detection. When researchers decompressed these files, they found traces of Vidar Infostealer and Lumma C2.

They also discovered that the files were enlarged to more than 800 MB when decompressed to evade detection by security software installed on the device.

Source: ASEC

In the case of Vidar Infostealer, the installer, typically named ‘Set-up.exe’ appears as Edge’s ‘identity-helper.exe’. Upon execution, it loads the ‘msedge_elf.dll’ file from the same directory, which is the modified malware. This patched malware decrypts files like ‘berley.asp’ and ‘complot.ppt’ in the directory, utilising them as payloads for shellcodes and malware.

LummaC2 Infostealer’s installers lack notable characteristics compared to Vidar. They typically masquerade as cracked versions of commercial software.

The information stealers communicate with the command and control server using platforms like Telegram and Steam Community. Each profile is assigned a specific address.

Researchers recommend users avoid downloads from suspicious sources and refrain from engaging in software piracy. Additionally, users can download a reputed antivirus software and scan their systems regularly.

In the News: Spotify unveils AI-driven playlist creation for personalised music

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>