Attackers have been found to be preying on individuals interested in pirated and cracked software downloads by exploiting YouTube and Google search results. The Trend Micro researchers discovered this activity taking place on the video-sharing platform. Threat actors masquerade as “guides” providing legitimate software installation tutorials to entice viewers to check out the video descriptions or comments, where they embed links to fake software downloads that lead to malware, as revealed in a recent blog post.
On Google, attackers are manipulating search results for pirated and cracked software, including links that appear to be genuine downloaders but actually contain infostealing malware, according to the Trend Micro researchers. Moreover, the threat actors frequently make use of reputable file hosting services like Mediafire and Mega.nz to hide the origin of their malware, making detection and removal more challenging, as stated by Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco in their post.
The campaign shares similarities with a previous one that emerged about a year ago, spreading Lumma Stealer—malware-as-a-service commonly employed to pilfer sensitive information such as passwords and cryptocurrency-wallet data—via weaponized YouTube channels. Although the Trend Micro did not confirm the connection between the campaigns, the recent activity appears to introduce a wider array of malware being dispersed, advanced evasion tactics, and the inclusion of malicious Google search results.
The malevolent downloads disseminated by attackers are typically password-protected and encoded, complicating analysis in security environments like sandboxes and enabling malware to elude early detection. Following infection, the malware concealed in the downloaders gathers sensitive data from web browsers to steal credentials, highlighting the severe risks of unwittingly downloading fraudulent software.
In addition to Lumma, other infostealing malware noticed being circulated through counterfeit software downloads on links shared on YouTube encompass PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, as per the researchers. Overall, the campaign capitalizes on the trust people place in platforms such as YouTube and file-sharing services, particularly impacting those seeking pirated software who believe they are downloading legitimate installers for popular programs.
There are similarities between this campaign and another recently uncovered abusing GitHub, where attackers exploited developers’ trust in the platform to conceal the Remcos RAT in GitHub repository comments. Though the attack vector differs, comments play a significant role in the propagation of malware.
As illustrated by the threat activity, attackers persist in using social engineering tactics to target victims and deploying various methods to bypass security defenses. To shield against these attacks, organizations are advised to remain informed about current threats and maintain vigilance concerning detection and alert systems. Employee training is also crucial in preventing socially engineered attacks and the downloading of pirated software, as highlighted by security experts.