Watch Out for YouTube Videos Promoting Malware

Last updated on April 19th, 2024 at 02:37 am

A red bug in between lots of green padlocks
ID 159501642 © Dragan Andrii | Dreamstime.com

YouTube videos claiming to help viewers download premium software for free are instead tricking them into downloading malware. An internet researcher going by the handle idclickthat raised the alarm about two such malware campaigns on Twitter earlier this week. 

Lumma info stealer campaign

Some of the malicious videos found on YouTube. The titles are:
Davinci Resolve Crack | Davinci Resolve 18 Crack | Davinci Resolve Free 2023
Audition CRACK FOR PC 2023 // FULL FREE Download - For Pc WIN 11/10 2023

Ccleaner PRO\[New] Updated March 2023! Download & Install Steps \Lifetime Activation
Some videos featuring the malicious Bitbucket link. Screenshot from YouTube.

The first campaign targeted popular software, including Adobe Animate, AutoCAD by Autodesk and Wondershare Filmora. The videos directed viewers to a Bitbucket link to download the software for free.

Idclickthat analyzed the software downloaded from the link using Hatching Triage, an online sandbox for testing suspected malware. It scored 10/10 for bad behavior on Triage and was identified as an information stealer called Lumma.

An information stealer does exactly as its name suggests: steals personal data from the victim’s machine and sends it back to the bad guys. The data it takes can include passwords and session cookies, allowing hackers to log in to the victim’s accounts and even bypass 2FA

Lumma targets cryptocurrency wallets as well, so any crypto enthusiasts attempting to get free software would find themselves missing their crypto instead.

A second info stealer 

The second YouTube malware campaign identified by idclickthat targeted Adobe products, including Photoshop and XD, as well as music software Ableton and computer backup software EaseUS. The malicious videos all linked to a slick-looking site, with all kinds of fake free software ready to download.

Screenshot of the malicious site. The copy says: 
On FreeCrackSoft you can download programs of any category absolutely for free.
The site was created for users who are going to download computer programs, we tried to collect all the necessary programs that may be needed when using a computer for work, study and entertainment. You can download programs without registration, torrents and SMS.
A screenshot of the malicious site. Source: URLScan.

At the time of writing, however, the site is no longer available. The Whois record for the domain lists its status as ‘serverhold,’ indicating the registry has stepped in to stop its owner’s malware distribution operation.

Whois record for the malicious domain.
Registered: 10th April 2023
Updated: 2nd May 2023
Expiry: 10th April 2024.

Domain Status
Client Transfer Prohibited
Server Hold
Server Transfer Prohibited
The Whois record for one of the malicious domains. Screenshot from WhoXY.

However, the malicious videos also contained a direct link that redirected to a Dropbox folder containing a file called Setup_x64_32.exe. idclickthat analyzed that file using Triage, which gave it a score of 8/10 for malicious behavior. When run, the program accessed cryptocurrency wallet information and engaged in potential credential harvesting, meaning it’s likely another information stealer.

Videos still live

A screenshot of some of the malicious videos still live on YouTube. Titles include:
Photoshop 2023 for FREE Download -Photoshop 2023 for PC Win 10/11

Adobe InDesign | Adobe In Design free download | 2023

Adobe XD CrAck | Free Download | 2022
Some of the malicious videos that were still on YouTube as of May 4th 2023.

As of the time of writing, searching on YouTube for the malicious domains used in both campaigns still brings up multiple videos promoting the fake software. While some videos have only a few views, others have hundreds. Presumably some of those hundreds of viewers clicked the links and now have a nasty info stealer on their system.

The takeaway

No matter how tempting, resist the urge to download “free” versions of premium software. Otherwise, you might end up paying for that “free” software with all your crypto and online accounts!

Leave a Comment

Your email address will not be published. Required fields are marked *