Attackers who hack YouTube accounts and spread infostealers (Vidar, LummaC2)

AhnLab SEcurity intelligence Center (ASEC) has recently confirmed that the number of cases where attackers are using YouTube for the purpose of distributing malware is increasing. Rather than simply creating YouTube accounts and distributing malware, attackers are hijacking already existing famous YouTube accounts and distributing malware. Among the confirmed cases, there are cases with more than 800,000 subscribers.

Figure 1. Malware uploaded from a YouTube account with over 800,000 subscribers.

Attackers who abuse YouTube mainly distribute infostealers. Starting with the case of RedLine infostealer abusing YouTube in the past in 2020, the recently confirmed cases, including Vidar and LummaC2, are all infostealer malware.


1. Case of spreading malware using YouTube

There are various ways to spread malicious code, but the most representative example is abusing web services. In general, when users download programs, they may be normal programs or illegal programs such as game hacks, cracks, or keygen. The attacker creates a web page disguised as uploading these programs and uploads malicious code. As a result, users become infected by downloading and executing malicious code instead of the desired program.

In addition to file sharing sites [1], web pages used to spread malware in this way include compromised sites [2] and blogs [3] . However, YouTube can also be used to spread malware because YouTube can attach malware download links not only to videos but also to descriptions and comments. Accordingly, attackers have been distributing infostealer malware such as RedLine [4] , BlackGuard [5] , and RecordBreaker [6] since 2020.

In the past, the number of subscribers was not large because people created their own YouTube accounts and uploaded videos, but in the 2023 RecordBreaker distribution case, it was confirmed that accounts with more than 100,000 subscribers were hacked and distributed. Recently, cases of attacks using this method have been increasing, and accounts with more than 800,000 subscribers have been hacked. The YouTube accounts targeted for attack are diverse, including singers, sports influencers, and channels with themes of religion and animation.

Figure 2. YouTube accounts targeted for attack


2. Malicious codes used in attacks

The attack methods are all similar, uploading a video about cracking normal programs such as Adobe and attaching a download link to the text or comments. All malicious codes are uploaded to MediaFire and are in the form of password-protected compressed files. This appears to be aimed at bypassing the detection of security products. When you unzip the compressed file, malicious codes disguised as installation files are identified.

Figure 3. Malicious code link in YouTube video text and comments


2.1. Vidar Infostealer

The following is an installation file disguised as Vidar malware, and is the same as the past case of distributing the LummaC2 infostealer. [7] In general, the “Set-up.exe” file that the user will run is Edge’s “identity_helper.exe”, which is a normal file. However, when the file is executed, it loads the “msedge_elf.dll” file located in the same path, which is a patched form of malware. Malicious code that patches part of the code of the normal “msedge_elf.dll” decrypts the “berley.asp” and “complot.ppt” files located in the same path during execution and uses them as shellcode and payload of the actual malicious code.

Figure 4. Installation file containing Vidar malware

In addition, there are cases where it is distributed in a similar way to the past RecordBreaker infostealer distribution cases. [8] The characteristic of this method is that the file size is intentionally increased to about 800 MB and distributed in order to bypass the detection of security products. Of course, the intentionally added payload has a certain pattern, so the actual compressed file is smaller than this. In the following example, you can see that the size of “Setup.exe”, which was 800 MB, was reduced to 8 MB after compression.

Figure 5. Vidar malware with large size

The two distribution cases are presumed to be the work of the same attacker, because the C&C server address is the same. Vidar utilizes Telegram and Steam Community for communication with the C&C server. As follows, the address of the actual C&C server is specified in each profile, and by referring to this, it connects to the actual C&C server and steals the collected information.

Figure 6. Vidar abusing Telegram and Steam


2.2. LummaC2 Infostealer

The following are installation files containing LummaC2 malware. Compared to the Vidar malware case discussed above, there are no special characteristics, and the executable file disguised as an installation file is itself malware.

Figure 7. Installation file containing LummaC2 malware

LummaC2 is an infostealer malware that has been actively distributed recently and is mainly distributed by disguising itself as a commercial program crack. [9] Like common infostealer malware such as Vidar, Azorult, RedLine, and AgentTesla, it steals account information from web browsers, emails, and FTP clients, and also steals screenshots or cryptocurrency wallet files.


3. Conclusion

Recently, a case was confirmed where attackers were hacking famous YouTube accounts and distributing Vidar and LummaC2 malware. These malware are all infostealers that collect and steal various user information stored in the infected system, and can also download and install additional malware.

The accounts targeted for attack sometimes had more than 800,000 subscribers, allowing users to install malware without much suspicion. Attackers commonly disguise cracks in commercial programs.

Since malicious code can be installed through various platforms, you should avoid downloading illegal programs, make it a habit to use genuine software, and refrain from using suspicious websites or P2P. Additionally, you should be careful to prevent malware infection in advance by updating V3 to the latest version.

File Diagnosis
– Trojan/Win.Evo-gen.C5558850 (2023.12.05.01)
– Malware/Win.Generic.R642292 (2024.03.30.01)
– Infostealer/Win.Vidar.R642530 (2024.04.01.02)
– Infostealer/Win.Vidar. C5603574 (2024.03.21.03)
– Data/BIN.Encoded (2024.04.01.02)

Behavioral Diagnosis
– Injection/MDP.Hollowing.M4180

IoC
MD5

– af273f24b4417dce302cf1923fb56c71 : Vidar Loader (msedge_elf.dll)
– 0c9c366aa9938df153c406db65debe82 : Encoded Data (berley.asp)
– dae50482d640385a5665272cd1f716 df: Encoded Data (complot.ppt)
– e8201c07fcb62107a91411c55c261fab: Vidar (Setup.exex)
– 2414085b0a5bf49d9658f893c74cf15e: LummaC2 (Adobe_Activator.exe)
– cd0338fffaebc9cbc50a435868397e96: LummaC2 (Update-setup.exe)

C&C Server
– hxxps://steamcommunity[.]com/profiles/76561199658817715 : Vidar
– hxxps://t[.]me/sa9ok : Vidar
– hxxps://78.47.221[.]177 : Vidar
– hxxps:/ /95.216.176[.]246:5432 : Vidar
– hxxps://interferencesandyshiw[.]shop/api : LummaC2
– hxxps://chokepopilarvirusew[.]shop/api : LummaC2
– hxxps://pillowbrocccolipe[.]shop /api : LummaC2
– hxxps://communicationgenerwo[.]shop/api : LummaC2
– hxxps://diskretainvigorousiw[.]shop/api : LummaC2
– hxxps://affordcharmcropwo[.]shop/api : LummaC2
– hxxps:/ /dismissalcylinderhostw[.]shop/api : LummaC2
– hxxps://enthusiasimtitleow[.]shop/api : LummaC2
– hxxps://worryfillvolcawoi[.]shop/api : LummaC2
– hxxps://cleartotalfisherwo[.]shop/api : LummaC2

Original Source : https://asec.ahnlab.com/ko/63697/


MITRE Techniques and Procedures:

T1566.002 – Phishing: Spearphishing Link: Attackers use spearphishing links in YouTube video descriptions or comments to direct victims to malicious downloads.

T1566.001 – Phishing: Spearphishing Attachment: Malicious files are distributed as attachments or downloads, masquerading as legitimate software cracks.

T1193 – Spearphishing Attachment: Attackers use spearphishing tactics to distribute infostealer malware through compromised YouTube accounts.

T1027 – Obfuscated Files or Information: Malware is distributed in password-protected compressed files to evade detection.

T1071 – Application Layer Protocol: Vidar infostealer utilizes Telegram and Steam Community for C&C communication.

T1552.001 – Unsecured Credentials: Credentials from Web Browsers: Infostealers target stored credentials in web browsers, emails, and FTP clients.

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Malware may establish persistence by adding entries to registry run keys or startup folders.

T1059 – Command and Scripting Interpreter: Malware may use scripting interpreters like PowerShell or WScript to execute malicious payloads.

T1082 – System Information Discovery: Infostealers may gather system information to tailor their attacks or assess the value of the compromised system.

T1056 – Input Capture: Infostealers may capture user input, such as keystrokes or clipboard data, to steal sensitive information.