Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The information collected can be used for future attacks
Severity Level: High

FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. We found and reported on a similar attack method via YouTube in March 2023. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly. To circumvent straightforward web filter blacklists, the attackers exploit open-source platforms like GitHub and MediaFire instead of deploying their malicious servers. In this case, the shared links lead to the direct download of a new private .NET loader responsible for fetching the final malware, Lumma Stealer.

Lumma Stealer targets sensitive information, including user credentials, system details, browser data, and extensions. It has been advertised on the dark web and a Telegram channel since 2022, with over a dozen observed command-and-control (C2) servers in the wild and multiple updates. Figure 1 shows Lumma Stealer's C2 server telemetry, illustrating a global presence with a peak observed in December.

In this article, we will elaborate on each stage's behaviors that facilitated the stealer's distribution.

Figure 1: Telemetry of Lumma Stealer’s C2

Initial Infection Vector

The hacker initially breaches a YouTuber's account and uploads videos masquerading as sharing cracked software. Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors malicious content for the next stage of the attack. The videos were uploaded earlier this year, but the files on the file-sharing site receive regular updates (Figure 4), and the number of downloads keeps growing. This indicates that the ZIP file is always new and that this method effectively spreads malware.

Figure 3: The hacked YouTube Channel with a similar fake software installation guide

Figure 4: The malicious files updated on MediaFire

Figure 5: Malicious LNK file content

Figure 6: .NET executable on GitHub

.NET Executable – Installer-Install-2023_v0y.6.6.exe

The private .NET loader is obfuscated with SmartAssembly. It first gets the system’s environment value, shown in Figure 7. Once the number of the data is correct, it proceeds to load the PowerShell script. Otherwise, it exits the program.

Figure 7: Getting the system’s information by GetEnvironmentVariables()

Figure 8 shows the construction of a dictionary that defines the following properties of the ProcessStartInfo object that the malicious code uses to execute discreetly and avoid raising suspicion from its victims:

• RedirectStandardInput: This property set to true enables the redirection of the standard input stream of the process.
• CreateNoWindow: This property set to true indicates that the process should not create a visible window when it starts. It allows the executed command or script to run without displaying a command prompt window.
• UseShellExecute: This property set to false specifies that the process should not use the user's default shell for execution. Instead, the process is executed directly.

Figure 8: The ProcessStartInfo dictionary

Figure 9: Creates process and loads the PowerShell script

Figure 10: Downloaded encrypted data from a server

Figure 11: The encrypted data from a remote server

Figure 12: Loads decrypted data for the next stage

DLL File – Agacantwhitey.dll

Figure 13 shows the targeted function “PerkyRiggal,” which is pivotal in inspecting the system and environment. It employs several PNG files in the Resources section to decipher the ultimate payload of Lumma Stealer. To avoid detection, the file encodes all its strings using the "BygoLarchen" method. Figure 14 demonstrates the function of decoding the target text with a predefined key string.

Figure 13: Targeted method and Resources in Agacantwhitey.dll

Figure 14: The method for decoding strings

It checks the following items to achieve Anti-VM and Anti-Debug:

• Verifies the user's active window by invoking “GetForegroundWindow” and assesses whether it contains any of the specified remote debugger strings, “x32dbg,” “x64dbg,” “windbg,” “ollydbg,” “dnspy,” “immunity debugger,” “hyperdbg,” “debug,” “debugger,” “cheat engine,” “cheatengine,” “ida.”
• Checks for the following modules about security appliances or sandboxes, “SbieDll.dll” (Sandboxie), “cmdvrt64.dll” (Comodo Antivirus), “cuckoomon.dll” (Cuckoo Sandbox), and “SxIn.dll” (360 Total Security). It then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an analysis environment.
• Examines the presence of the following sandbox usernames: “Johnson,” “Miller,” “malware,” “maltest,” “CurrentUser,” “Sandbox,” “virus,” “John Doe,” “test user,” “sand box,” and “WDAGUtilityAccount.”
• Detects the presence of popular virtualization platforms via WMI queries “Select * from Win32_ComputerSystem” to retrieve information about the computer system, including the manufacturer and model. It then examines the manufacturer names, such as “innotek gmbh” (associated with VirtualBox) and “microsoft corporation” (often linked to Hyper-V), along with the model names “VirtualBox” and “vmware.” It also checks for directory “C:\Program Files\VMware” and “C:\Program Files\oracle\virtualbox guest additions.”
• Checks if the following files exist in folder “C:\Windows\system32\,” which are indicative of a virtualized environment presence: “balloon.sys,” “netkvm.sys,” “vioinput,” “viofs.sys,” “vioser.sys,” “VBoxMouse.sys,” “VBoxGuest.sys,” “VBoxSF.sys,” “VBoxVideo.sys,” “vmmouse.sys,” and “vboxogl.dll.”
• Checks the following system services: "vmbus," "VMBusHID," and "hyperkbd."
• Inspects the following process names: "vboxservice," "VGAuthService," "vmusrvc," and "qemu-ga."

After completing all environment checks, the program decrypts the resource data and invokes the "SuspendThread" function. This function is employed to transition the thread into a "suspended" state, a crucial step in the process of payload injection (see Figure 15).

Figure 15: Inject the final payload

Lumma Stealer Variant

Lumma stealer is a type of malware that can steal sensitive information from a user’s computer. It can target the system data, the browsers, crypto wallets, and browser extensions. It is written in C language and sold on underground forums. To elude detection and analysis, it employs diverse obfuscation techniques. The malware establishes communication with a command and control server, facilitating the exchange of instructions and transmitting pilfered data.

Figure 16 shows the method to contact a command and control (C2) server. Once it gets the first server that can set up a connection, it then sends out a POST message with hardcoded User-Agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36“ and parameter “act=life” to check-in. The corresponding code is shown in Figure 17.

Figure 16: Resolve the C2 server list

Figure 17: Sending check-in message to C2 server

Figure 18: POST request to C2 server with Lumma ID “JVryU4--LNK”

Conclusion

In this attack, the malicious actor targets YouTube channels to disseminate Lumma Stealer. The crafted installation ZIP file serves as an effective bait to deliver the payload, exploiting the user's intention to install the application and prompting them to click the installation file without hesitation. URLs from open-source websites throughout the scheme aim to diminish user awareness. The attackers further deploy a private .NET loader with environment checks, various anti-virtual machine (Anti-VM), and anti-debugging functions. Users must exercise caution regarding unclear application sources and ensure legitimate applications from reputable and secure origins are used.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

W32/Stealer.QLD!tr
MSIL/Agent.WML!tr
MSIL/Kryptik.BJF!tr
LNK/Agent.WML!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.

We also suggest that organizations go through the free Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

IP Addresses

176[.]113[.]115[.]224
176[.]113[.]115[.]226
176[.]113[.]115[.]227
176[.]113[.]115[.]229
176[.]113[.]115[.]232

Hostnames

Netovrema[.]pw
opposesicknessopw[.]pw
politefrightenpowoa[.]pw
chincenterblandwka[.]pw

Files:

48cbeb1b1ca0a7b3a9f6ac56273fbaf85e78c534e26fb2bca1152ecd7542af54
483672a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532
01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f
7603c6dd9edca615d6dc3599970c203555b57e2cab208d87545188b57aa2c6b1