Advanced Cyber Attack Exploits Booking Websites to Deploy LummaStealer Malware

A sophisticated cyberattack has been uncovered, targeting booking websites to spread the LummaStealer malware.

This campaign leverages fake CAPTCHA prompts and social engineering techniques to deceive users into executing malicious commands on their systems.

LummaStealer, an info-stealer malware operating under a Malware-as-a-Service (MaaS) model, has been gaining attention for its versatility and global reach.

Infection Chain and Techniques

The attack begins with a fake booking confirmation link that redirects users to a webpage mimicking legitimate booking platforms like Booking.com.

This page displays a fake CAPTCHA verification prompt, instructing users to execute a PowerShell command via the Windows Run dialog.

This technique, known as ClickFix, involves displaying fake error messages to trick users into compromising their systems.

The PowerShell command retrieves a Base64-encoded payload from a fake booking website URL, which then downloads and executes the LummaStealer malware.

The malware samples involved are significantly larger than previous versions, often disguised as legitimate installers to evade detection.

The infection chain involves multiple stages, starting with a fake payment confirmation URL that leads to a booking itinerary page with a CAPTCHA prompt.

An obfuscated PHP script copies a PowerShell script to the user’s clipboard, which, when executed, downloads the malware payload.

The use of ROT13 encryption and Base64 encoding adds complexity to the attack, making it challenging for security tools to detect.

Global Impact and Evolution

According to the Report, this campaign has been observed targeting users worldwide, with cases reported in countries such as the Philippines and Germany.

The shift in targeting booking websites marks a new approach for LummaStealer, which was previously spread through platforms like GitHub and Telegram.

The malware employs advanced obfuscation techniques, including indirect control flow and binary padding, to evade detection.

These techniques make analysis more difficult and can delay signature-based antivirus responses.

As cyber threats continue to evolve, LummaStealer’s ability to adapt and exploit new vectors poses a significant challenge for cybersecurity efforts.

The use of social engineering tactics like ClickFix underscores the importance of user awareness and vigilance in preventing such attacks.

With its increasing prevalence and sophisticated methods, LummaStealer is expected to remain a major threat in the coming months.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.