Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.
Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.
Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as “guides” offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a aktueller Blogeintrag.
On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.
Moreover, the actors “often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult,” Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.
Evasive & Anti-Detection Built Into the Campaign
The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.
Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.
The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.
After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating “the serious risks of exposing your personal information by unknowingly downloading fraudulent software,” the researchers wrote.
In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.
Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.
Shades of a GitHub Campaign
The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.
Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free “Adobe Lightroom Crack” and includes a comment with a link to the software downloader.
Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.
Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.
“The entry contains a shortened link that redirects to the actual link,” the researchers wrote. “One assumption is that they use shortened links to prevent scraping sites from accessing the download link.”
The link prompts the user for the actual download link and the zip file’s password, presumably because “password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary,” they noted.
