Threat actors increasingly utilize YouTube to distribute information stealer malware (infostealers) by appropriating legitimate channels as well as using their own video channels.
In a new report, the AhnLab Security Intelligence Center (ASEC) found a growing number of cases in which malicious actors steal famous YouTube channels and repurpose them to distribute infostealers like Vidar and LummaC2.
In one of the cases, the targeted channel had more than 800,000 subscribers.
Shifting to Target Legitimate YouTube Channels
Threat actors have long used YouTube for infostealer distribution purposes. Typically, they create a new, seemingly legitimate channel and attach malware download links to their videos.
However, this method has not proved very efficient since these channels usually fail to attract many subscribers.
In May 2023, threat actors used a more effective method to distribute the RecordBreaker stealer by uploading and distributing malware through a channel with more than 100,000 subscribers.
“Nowadays, there are more and more attack cases using this method. The targeted YouTube channels ranged from singers and influencers to channels related to sports, religions, and animations,” ASEC researchers noted.
Leveraging Legitimate Software Cracking Channels
In all cases discovered by ASEC, a download link was added in the description or the comment section of a video about the cracked version of a normal program such as Adobe.
The malware files are uploaded to MediaFire and compressed with password protection, a step taken by the threat actors to evade detection by security solutions.
When the compressed files are decompressed, malware strains disguised as installers are found.
Vidar and LummaC2 Distribution
Threat actors were distributing two different infostealers, Vidar and LummaC2, in the cases analyzed by ASEC.
Vidar is an infostealer that first appeared in 2018 as a fork from the Arkei malware. It was recently used in the November 2023 social engineering campaign targeting Booking.com.
LummaC2 is a more recent infostealer, first discovered in 2022. Lumma typically targets two-factor authentication (2FA) and multifactor authentication (MFA) by stealing codes from apps like Authy. In November 2023, it was reported that Lumma evolved to integrate new anti-sandbox features.
These malware strains collect and steal various user information saved inside infected systems and can also download and install additional malware.
Infostealers like Vidar and Lumma are usually developed by one specific threat actor and then made public to the whole cybercrime community so that other threat actors can use it – a model called malware-as-a-service (MaaS).