Hackers Hijacking Popular YouTube Channels To Deliver IMalware

Hackers always end up targeting famous YouTube channels because of their large audience base, and their aim is to exploit the same for different reasons. 

Hacking such a platform becomes one of the most lucrative activities in terms of money that one can engage in through demanding ransom or getting those illegal revenues earned from adverts. 

Furthermore, leading channels are appropriate tools that enable hackers to distribute malware and propaganda.

Cybersecurity researchers at ASEC recently discovered that hackers have been actively targeting and hijacking popular YouTube channels to deliver infostelaer malware.

Hackers Hijacking Popular YouTube Channels

Malware distribution arises mainly from the misuse of web services, like tricky websites with legitimate applications, such as game cheats, cracks, and keygens, which are malware.

These sites betray users’ trust, making them unsuspectingly download and execute malicious software.

YouTube is also a target where threat actors include links for downloading malware in videos, descriptions, and comments.

Since 2020, this has been the distribution channel for infostealers like RedLine, BlackGuard and RecordBreaker.

In the latest occurrence, hackers chose channels with large numbers of subscribers ranging from entertainment to niche interests that escalated the scale of their attacks.

The attackers usually upload videos on cracked versions of genuine programs like Adobe, and the video descriptions or comments carry download links.

The password-protected malware payloads are hosted on MediaFire to outsmart detection.

Under decompression, infections like Vidar come into view in their hidden forms.

These installers that seem normal, as in “Set-up.exe,” effectively load modified malware parts, including “msedge_elf.dll,” upon initiation.

It makes encrypted files such as “berley.asp” and “complot.ppt” serve as its payloads. Essentially, this kind of decrypted malware often remains hidden within fake files with a size of up to 800 MB, which results in increased security measures being implemented.

Additionally, C&C server addresses plus sharing of platforms like Telegram and Steam Community show that the activities are organized by one actor.

The installers contain the LummaC2 malware and have no notable characteristics compared to Vidar malware cases.

LummaC2, an infostealer like Vidar, Azorult, RedLine, and AgentTesla, steals credentials, cryptocurrency wallets, and screenshots. 

It’s actively distributed as cracked software. Recently, threat actors hacked popular YouTube channels to distribute Vidar and LummaC2 malware disguised as pirated apps, targeting over 800,000 subscribers. 

These infostealers collect user data and can install additional malware. Users should avoid illegal programs and suspicious sites/P2P and use genuine software.

Besides this, it’s also recommended that the V3 be updated to prevent malware infections.

IoCs

MD5s

• af273f24b4417dce302cf1923fb56c71: Vidar Loader (msedge_elf.dll)
• 0c9c366aa9938df153c406db65debe82: Encoded Data (berley.asp)
• dae50482d640385a5665272cd1f716df: Encoded Data (complot.ppt)
• e8201c07fcb62107a91411c55c261fab: Vidar (Setup.exex)
• 2414085b0a5bf49d9658f893c74cf15e: LummaC2 (Adobe_Activator.exe)
• cd0338fffaebc9cbc50a435868397e96: LummaC2 (Update-setup.exe)

C&C Servers

• hxxps://steamcommunity[.]com/profiles/76561199658817715: Vidar
• hxxps://t[.]me/sa9ok: Vidar
• hxxps://78.47.221[.]177: Vidar
• hxxps://95.216.176[.]246:5432: Vidar
• hxxps://interferencesandyshiw[.]shop/api: LummaC2
• hxxps://chokepopilarvirusew[.]shop/api: LummaC2
• hxxps://pillowbrocccolipe[.]shop/api: LummaC2
• hxxps://communicationgenerwo[.]shop/api: LummaC2
• hxxps://diskretainvigorousiw[.]shop/api: LummaC2
• hxxps://affordcharmcropwo[.]shop/api: LummaC2
• hxxps://dismissalcylinderhostw[.]shop/api: LummaC2
• hxxps://enthusiasimtitleow[.]shop/api: LummaC2
• hxxps://worryfillvolcawoi[.]shop/api: LummaC2
• hxxps://cleartotalfisherwo[.]shop/api: LummaC2

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.