Threat Actors Exploit YouTube Channels to Spread Infostealers (Vidar and LummaC2)

AhnLab SEcurity intelligence Center (ASEC) recently found that there are a growing number of cases where threat actors use YouTube to distribute malware. The attackers do not simply create YouTube channels and distribute malware—they are stealing well-known channels that already exist to achieve their goal. In one of the cases, the targeted channel had more than 800,000 subscribers.

Figure 1. Malware uploaded by a YouTube account with more than 800,000 subscribers

The threat actors who abuse YouTube are mainly distributing Infostealers. The RedLine Infostealer that was distributed via YouTube in 2020 as well as Vidar and LummaC2 found in the recently discovered cases are all Infostealers.

1. Malware Distributed Using YouTube

Out of the many ways of malware distribution, the main one is abusing web services. Normally when users download programs, they may be the actual normal programs, but they also may be illegal programs such as game hacks, cracks, and keygens. Threat actors create websites that seem as if such programs are uploaded, while actually uploading malware. As such, users end up downloading malware instead of the program they were searching for, and executing this ultimately infects their systems.

Such websites used for the distribution of malware include file-sharing sites [1], breached websites [2], and blogs [3]. YouTube can also be used for malware distribution, as the platform allows threat actors to attach the malware download link in the video as well as the description and the comment section. Using this method, threat actors have been distributing Infostealers such as RedLine [4], BlackGuard [5], and RecordBreaker [6] since 2020.

In the past, YouTube channels used by threat actors did not have that many subscribers because they created the channels themselves. However, in the RecordBreaker distribution case in 2023, a threat actor hacked a channel with more than 100,000 subscribers to upload and distribute malware. Nowadays, there are more and more attack cases using this method, and in one case, a channel with more than 800,000 subscribers was hacked. The targeted YouTube channels ranged from singers and influencers to channels related to sports, religions, and animations.

Figure 2. Targeted YouTube channels

2. Malware Used in Attacks

The cases all share similar attack methods, where a video about the cracked version of a normal program such as Adobe is uploaded with a download link in the description or the comment section. All of the malware are uploaded to MediaFire and are compressed with password protection. This is likely for the purpose of evading the detection of security solutions. When the compressed files are decompressed, malware strains disguised as installers are found.

Figure 3. Links to malware in the description and comment section of YouTube videos

2.1. Vidar Infostealer

Below is the Vidar malware disguised as an installer, which is identical to the past case of LummaC2 Infostealer being distributed. [7] The “Set-up.exe” file that will generally be run by the user is Edge’s “identity_helper.exe”, a normal file. However, when the file is run, the “msedge_elf.dll” file in the same path gets loaded, which is actually the patched malware. The malware with a part of the normal msedge_elf.dll’s code patched decrypts “berley.asp” and “complot.ppt” files in the same path upon execution, and it uses them as payloads for shellcodes and the actual malware.

Figure 4. The installer containing Vidar malware

Vidar has also been distributed in a similar method to the past RecordBreaker Infostealer distribution case. [8] A notable point of such method is that the file size is intentionally enlarged to around 800 MB to evade the detection of security products. The compressed file is actually smaller because the intentionally added payload has a consistent pattern. The case below also shows that “Setup.exe” of 800MB was reduced to 8 MB after compression.

Figure 5. Vidar malware with a large file size

It is presumed that the same threat actor was behind the two cases of distribution because they share the C&C server address. To communicate with the C&C server, Vidar uses Telegram and Steam Community. The actual C&C address is assigned to each profile, and the threat actor exfiltrates the information collected by the malware by accessing the C&C server.

Figure 6. Vidar Abusing Telegram and Steam

2.2. LummaC2 Infostealer

The figure below shows installers that contain the LummaC2 malware. There are not any notable characteristics compared to the Vidar malware cases mentioned above, and the executable file disguised as an installer is the malware itself.

Figure 7. Installers containing LummaC2 malware

LummaC2 is being distributed actively these days, usually under the guise of cracked versions of commercial software. [9] Just like typical Infostealers such as Vidar, Azorult, RedLine, and AgentTesla, LummaC2 also steals account credentials from web browsers, emails, and FTP clients, and it also steals cryptocurrency wallet files or screenshots.

3. Conclusion

Recently, there were cases where threat actors hacked into famous YouTube channels to distribute Vidar and LummaC2. These malware strains are Infostealers that collect and steal various user information saved inside infected systems and can also download and install additional malware.

The targeted channels included one that had more than 800,000 subscribers, which means that users could download malware without much doubt. Threat actors all disguised their malware as cracked versions of commercial software.

As explained in this post, malware can be installed through various platforms, so users should refrain from downloading illegal programs and using suspicious websites or P2P and use genuine software at all times. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Trojan/Win.Evo-gen.C5558850 (2023.12.05.01)
– Malware/Win.Generic.R642292 (2024.03.30.01)
– Infostealer/Win.Vidar.R642530 (2024.04.01.02)
– Infostealer/Win.Vidar.C5603574 (2024.03.21.03)
– Data/BIN.Encoded (2024.04.01.02)

Behavior Detection
– Injection/MDP.Hollowing.M4180

IoC
MD5s

– af273f24b4417dce302cf1923fb56c71: Vidar Loader (msedge_elf.dll)
– 0c9c366aa9938df153c406db65debe82: Encoded Data (berley.asp)
– dae50482d640385a5665272cd1f716df: Encoded Data (complot.ppt)
– e8201c07fcb62107a91411c55c261fab: Vidar (Setup.exex)
– 2414085b0a5bf49d9658f893c74cf15e: LummaC2 (Adobe_Activator.exe)
– cd0338fffaebc9cbc50a435868397e96: LummaC2 (Update-setup.exe)

C&C Servers
– hxxps://steamcommunity[.]com/profiles/76561199658817715: Vidar
– hxxps://t[.]me/sa9ok: Vidar
– hxxps://78.47.221[.]177: Vidar
– hxxps://95.216.176[.]246:5432: Vidar
– hxxps://interferencesandyshiw[.]shop/api: LummaC2
– hxxps://chokepopilarvirusew[.]shop/api: LummaC2
– hxxps://pillowbrocccolipe[.]shop/api: LummaC2
– hxxps://communicationgenerwo[.]shop/api: LummaC2
– hxxps://diskretainvigorousiw[.]shop/api: LummaC2
– hxxps://affordcharmcropwo[.]shop/api: LummaC2
– hxxps://dismissalcylinderhostw[.]shop/api: LummaC2
– hxxps://enthusiasimtitleow[.]shop/api: LummaC2
– hxxps://worryfillvolcawoi[.]shop/api: LummaC2
– hxxps://cleartotalfisherwo[.]shop/api: LummaC2

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: Original Post