Keypoints
- Attackers compromise YouTube accounts and post cracked-software videos containing shortened malicious links that point to ZIP files hosted on platforms like MediaFire and GitHub.
- The distributed ZIP (e.g., installer_Full_Version_V.1f2.zip) contains an LNK file that executes PowerShell to download a .NET executable from a GitHub raw URL (owner John1323456).
- The private .NET loader (Installer-Install-2023_v0y.6.6.exe) is SmartAssembly-obfuscated, performs environment validation, and launches a PowerShell script via a hidden ProcessStartInfo to retrieve encrypted payload data.
- The PowerShell script selects one of multiple base64-encoded server IPs, downloads AES-CBC encrypted data, then decrypts and GZip-decompresses it to obtain a DLL loaded with [System.Reflection.Assembly]::Load().
- The DLL (Agacantwhitey.dll) decodes obfuscated strings, conducts extensive Anti-VM and anti-debug checks (WMI, file/module/service/process/name checks), and uses SuspendThread as part of payload injection.
- Lumma Stealer (final payload) collects credentials, browser data, crypto wallets, and system info, then checks in and exfiltrates data to C2 servers via POST requests (act=life / act=receive-message) and /api endpoints, now using HTTPS.
MITRE Techniques
- [T1078] Valid Accounts – The attackers “breach a YouTuber’s account and uploads videos masquerading as sharing cracked software” to distribute malicious links.
- [T1204.002] User Execution: Malicious File – The ZIP “contains an LNK file that calls PowerShell to download a .NET execution file” which the user may execute (‘contains an LNK file that calls PowerShell to download a .NET execution file’).
- [T1059.001] PowerShell – The .NET loader launches a PowerShell process and feeds it a script to retrieve encrypted binary data from remote servers (‘the ProcessStartInfo object is employed to launch the PowerShell process’ / ‘the script encodes the server IP address … to retrieve encrypted binary data’).
- [T1620] Reflective Code Loading – The downloader decrypts and decompresses a DLL and loads it directly in memory using reflection via “[System.Reflection.Assembly]::Load()” (‘it then invokes the DLL file with a specific method and type via “[System.Reflection.Assembly]::Load(),”’).
- [T1497] Virtualization/Sandbox Evasion – The DLL performs multiple environment checks (WMI, specific files, services, processes, sandbox usernames and modules) to detect VMs and sandboxes (‘checks for modules… sandbox usernames… virtualization platforms via WMI queries’).
- [T1055] Process Injection – After decryption and environment checks, the code uses functions like “SuspendThread” as part of the sequence to inject and execute the final payload (‘invokes the “SuspendThread” function… a crucial step in the process of payload injection’).
- [T1071.001] Application Layer Protocol: Web Protocols – Lumma communicates with C2 by sending POST requests (e.g., “act=life” check-in and “act=receive-message”) and uploads exfiltrated data to the /api endpoint (‘sends out a POST message with hardcoded User-Agent “…“ and parameter “act=life” to check-in’).
Indicators of Compromise
- [IP Address] C2 and download servers – 176[.]113[.]115[.]224:29983, 176[.]113[.]115[.]226, and 3 more IPs
- [Hostnames] Malicious hosting domains used in campaign – Netovrema[.]pw, opposesicknessopw[.]pw
- [Download URLs / Filenames] Direct download links and archive names – hxxps://github[.]com/John1323456/New/raw/main/Installer-Install-2023_v0y.6.6[.]exe, hxxp://cutt[.]ly/lwD7B7lp, installer_Full_Version_V.1f2.zip
- [File Hashes] Payload/artifact hashes observed – 48cbeb1b1ca0a7b3a9f6ac56273fbaf85e78c534e26fb2bca1152ecd7542af54, 483672a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532, and 2 more hashes
Fortinet’s technical summary (rewritten, procedure-focused):
Attackers first compromise YouTube accounts and post videos purporting to offer cracked software; video descriptions include shortened links that download ZIP archives (e.g., installer_Full_Version_V.1f2.zip) hosted on public file-sharing services. The archive contains an LNK file that invokes PowerShell to fetch a SmartAssembly-obfuscated .NET executable from a GitHub raw URL (owner John1323456). The .NET loader checks environment variables and only proceeds when conditions match, then creates a hidden ProcessStartInfo to launch PowerShell and feed it a script via standard input to avoid visible consoles.
The PowerShell payload contains base64-encoded server IPs and logic to pick a target based on system date; it downloads AES-CBC encrypted blobs from remote servers (example 176[.]113[.]115[.]224:29983), decrypts and GZip-decompresses the data to produce a DLL, and loads that DLL in-memory via [System.Reflection.Assembly]::Load(). The loaded DLL (Agacantwhitey.dll) decodes its strings with a custom method, performs extensive Anti-VM and anti-debug checks (WMI manufacturer/model checks, sandbox usernames, presence of sandbox/VM files, sandbox-related modules and services, and debugger window names), and then uses thread suspension as part of a payload injection sequence to run the final Lumma Stealer component.
Once active, Lumma Stealer collects system and browser credentials, extensions, and crypto wallet data, and communicates with multiple C2 servers. It performs a check-in via POST (act=life) using a hardcoded User-Agent, polls for commands (act=receive-message), and uploads compressed exfiltrated data to the /api endpoint; recent variants support HTTPS to better evade detection.
Read more: https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube