There’s a new malicious campaign focusing on YouTube creators. An unidentified threat actor with a huge automated infrastructure is impersonating trusted brands, crafting enticing emails, and offering promotion and partnership deals. The victims are losing their data and accounts.
As many as 200,000 YouTubers received malicious offers during the ongoing campaign, researchers of CloudSEK, a threat analytics platform, discovered.
As of December 2024, the threat actor had been using 340 SMTP (email) servers, each sending around 500-1,000 phishing emails from a single email address, impersonating popular brands.
The fake brand collaboration proposals offer YouTubers a compensation structure based on subscriber count for a 15-second advertisement in upcoming content on a platform. However, the documents, disguised as contracts or promotional materials, contain malware downloaders.
The links are hidden within the attachments, such as Word, PDFs, or Excel files, which masquerade as promotional materials, contracts, or business proposals.
“The phishing emails are sent from spoofed or compromised email addresses, making them seem credible. Recipients are lured into downloading the attached files, believing they are legitimate business offers,” Mayank Sahariya, Cyber Threat Analyst at CloudSEK said in a report.
To evade detection, the threat actor hosts password-protected files, such as ZIP or RAR archives, on legitimate platforms, including OneDrive.
Upon clicking the link, the victim is redirected to a legitimate platform (OneDrive), hosting a malicious file, which delivers Lumma Stealer, a capable infostealer.
“Once downloaded, the malware can steal sensitive information, including login credentials and financial data, while also granting attackers remote access to the victim’s systems,” the researcher said.
Hackers using automation
For the ongoing campaign, the threat actor amassed a large infrastructure. They were observed using a parser to collect bulk email addresses from YouTube channels, targeting creators and organizations. To automate phishing email sending from Murena or Onet.eu platforms, attackers used tools like Browser Automation.
The attackers prepared templates for creating temporary email accounts, and email messages. Numerous email accounts impersonate public relations and media entities.
Hackers were using more than 340 SMTP servers, over 26 network proxies (SOCKS5) to hide their traffic through intermediaries, and more than 46 Remote Desktop Protocols.
“We were able to log into the Murena.io SMTP account and found evidence of a large-scale campaign, with the threat actor sending around 500-1,000 spam emails from a single email address,” the researcher explained.
Attackers mostly target businesses and individuals in marketing, sales, and executive positions, given their propensity to engage in brand promotions and partnerships.
The malware executable, named “Digital Agreement Terms and Payments Comprehensive Evaluation.exe,” is already flagged as malicious by 48 antivirus vendors on VirusTotal. It is capable of checking and potentially disabling antivirus solutions. It drops two files “webcams.pif” and “RegAsm.exe” into the folder named "10183” of the temp directory. Lumma Stealer is a well-known subscription-based information-stealing malware attackers use to exfiltrate credentials, crypto wallets, and other data from the system.
Your email address will not be published. Required fields are markedmarked