In the past four weeks, a significant increase in malware distribution attempts via fake Captcha campaigns has been observed, targeting over 1.4 million users.
Lumma Stealer, a hazardous malware designed for data theft, is the primary payload being distributed.
Cybercriminals leverage phishing emails, such as the recent GitHub Security Team impersonation, to lure victims to malicious websites hosting these malicious Captcha campaigns.
.png
)
When users click on the malicious link, they are taken to a misleading Captcha screen to trick them into copying a malicious script to their clipboard.
Once copied, the script is executed through instructions provided on the screen, typically involving the Win+R prompt or command line, which leads to the installation of malware on the user’s system, potentially compromising their personal information and system security.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
The malicious PowerShell script leverages a JavaScript-enabled button to trick users into copying the script to their clipboard.
Once executed, the script connects to a remote command-and-control server to download a malicious payload.
It could be either the Lumma Stealer malware or an intermediary loader that ultimately drops the stealer onto the victim’s system.
The script’s primary goal is to steal sensitive information from the compromised machine.
The malicious script, initiated by the user, downloads a secondary PowerShell script from a GitHub repository.
This script communicates with a command-and-control server to retrieve the final Lumma Stealer payload disguised as a legitimate application named SysSetup.exe.
After that, the payload is executed from a temporary directory, which may leave sensitive user data and system functions vulnerable to security breaches.
Recent data reveals a significant surge in fake Captcha campaigns, with Italy, Argentina, France, Spain, and Brazil experiencing the highest impact.
Over the past four weeks, these attacks have targeted millions of unique users worldwide.
The heatmap illustrates the geographical spread of these campaigns, highlighting the regions most vulnerable to such malicious activities, underscoring the escalating threat posed by fake Captcha attacks and the urgent need for robust countermeasures.
The provided Indicators of Compromise (IoCs) reveal a malicious campaign that deploys the Lumma Stealer malware using a GitHub-based command-and-control (C&C) server and a PowerShell script.
According to Gen Digital, to protect against such threats, users should exercise caution when dealing with unsolicited emails, avoid executing unknown scripts, enable two-factor authentication, and employ a reputable antivirus solution to detect and prevent malware infections.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free
