Warning: Fake CAPTCHA Scam Spreading Lumma Stealer Malware Across Multiple Industries

Fake CAPTCHA Scam Spreading Lumma Stealer Malware Across Multiple Industries

Cybersecurity experts have uncovered a widespread malware campaign that exploits fake CAPTCHA verification checks to deploy the notorious Lumma Stealer malware.

Global Cyber Threat Targeting Multiple Sectors

According to Netskope Threat Labs, this sophisticated cyberattack has affected victims worldwide, including in Argentina, Colombia, the U.S., the Philippines, and several other nations. The campaign has impacted various industries, with telecom companies experiencing the highest number of attacks, followed by healthcare, banking, and marketing sectors.

How the Attack Works

The infection begins when unsuspecting users visit a compromised website, which redirects them to a fraudulent CAPTCHA page. The page instructs users to copy and paste a command into the Windows Run prompt. This command utilizes the built-in mshta.exe function to download and execute an HTA file from a remote server, initiating the malware payload.

This technique is a variation of a previously identified attack method, ClickFix, which used Base64-encoded PowerShell scripts to install Lumma Stealer. In the current attack, the HTA file runs a PowerShell command that launches a multi-stage process, eventually executing the Lumma malware while bypassing Windows security defenses like the Antimalware Scan Interface (AMSI).

Lumma Stealer’s Evolving Threat Landscape

Lumma Stealer operates under a malware-as-a-service (MaaS) model and has seen a surge in activity in recent months. Its diverse delivery methods make detection and mitigation increasingly challenging, especially as attackers exploit user interactions outside the browser environment.

Recent reports indicate that cybercriminals have expanded their tactics by using over 1,000 counterfeit domains impersonating reputable sites like Reddit and WeTransfer. These fake sites trick users into downloading password-protected archive files containing an AutoIT-based dropper, known as SelfAU3 Dropper, which executes the Lumma Stealer malware.

This method mirrors previous campaigns, such as one in early 2023, where attackers deployed over 1,300 fake AnyDesk domains to spread the Vidar Stealer malware.

Expanding Threats and Phishing-as-a-Service (PhaaS)

The rise of phishing-as-a-service (PhaaS) further complicates the cybersecurity landscape. Barracuda Networks recently reported an upgraded phishing toolkit, Tycoon 2FA, designed to evade security tools. This toolkit employs advanced techniques such as using compromised email accounts, detecting automated security scripts, and disabling web inspection features to avoid detection.

Another social engineering tactic involves leveraging Gravatar’s “Profiles as a Service” to create convincing fake profiles mimicking legitimate brands like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail. By doing so, cybercriminals manipulate users into entering their login credentials.

Protecting Against Lumma Stealer and Similar Threats

To safeguard against such threats, cybersecurity professionals recommend:

  • Avoiding suspicious CAPTCHA prompts that request system commands.
  • Keeping security software updated to detect evolving malware variants.
  • Being cautious of phishing attempts, even those disguised as legitimate services.
  • Verifying website authenticity before entering credentials or downloading files.

As cyber threats evolve, staying informed and implementing strong security practices is essential in preventing attacks like the Lumma Stealer campaign.

source: thehackernews

Share this on

Facebook
LinkedIn
Twitter
Pinterest
Email
WhatsApp
Telegram
Skype