YouTube videos claiming to help viewers download premium software for free are instead tricking them into downloading malware. An internet researcher going by the handle idclickthat raised the alarm about two such malware campaigns on Twitter earlier this week.
Lumma info stealer campaign
The first campaign targeted popular software, including Adobe Animate, AutoCAD by Autodesk and Wondershare Filmora. The videos directed viewers to a Bitbucket link to download the software for free.
Idclickthat analyzed the software downloaded from the link using Hatching Triage, an online sandbox for testing suspected malware. It scored 10/10 for bad behavior on Triage and was identified as an information stealer called Lumma.
An information stealer does exactly as its name suggests: steals personal data from the victim’s machine and sends it back to the bad guys. The data it takes can include passwords and session cookies, allowing hackers to log in to the victim’s accounts and even bypass 2FA.
Lumma targets cryptocurrency wallets as well, so any crypto enthusiasts attempting to get free software would find themselves missing their crypto instead.
A second info stealer
The second YouTube malware campaign identified by idclickthat targeted Adobe products, including Photoshop and XD, as well as music software Ableton and computer backup software EaseUS. The malicious videos all linked to a slick-looking site, with all kinds of fake free software ready to download.
At the time of writing, however, the site is no longer available. The Whois record for the domain lists its status as ‘serverhold,’ indicating the registry has stepped in to stop its owner’s malware distribution operation.
However, the malicious videos also contained a direct link that redirected to a Dropbox folder containing a file called Setup_x64_32.exe. idclickthat analyzed that file using Triage, which gave it a score of 8/10 for malicious behavior. When run, the program accessed cryptocurrency wallet information and engaged in potential credential harvesting, meaning it’s likely another information stealer.
Videos still live
As of the time of writing, searching on YouTube for the malicious domains used in both campaigns still brings up multiple videos promoting the fake software. While some videos have only a few views, others have hundreds. Presumably some of those hundreds of viewers clicked the links and now have a nasty info stealer on their system.
No matter how tempting, resist the urge to download “free” versions of premium software. Otherwise, you might end up paying for that “free” software with all your crypto and online accounts!