Saturday, December 14, 2024
HomeCyber AttackBeware Of Fake Captcha Attacks That Delivers Lumma Stealer Malware

Beware Of Fake Captcha Attacks That Delivers Lumma Stealer Malware

Published on

SIEM as a Service

In the past four weeks, a significant increase in malware distribution attempts via fake Captcha campaigns has been observed, targeting over 1.4 million users.

Lumma Stealer, a hazardous malware designed for data theft, is the primary payload being distributed. 

Cybercriminals leverage phishing emails, such as the recent GitHub Security Team impersonation, to lure victims to malicious websites hosting these malicious Captcha campaigns.

- Advertisement - SIEM as a Service
 email directs the user to a malicious website
 email directs the user to a malicious website

When users click on the malicious link, they are taken to a misleading Captcha screen to trick them into copying a malicious script to their clipboard. 

Once copied, the script is executed through instructions provided on the screen, typically involving the Win+R prompt or command line, which leads to the installation of malware on the user’s system, potentially compromising their personal information and system security.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

The malicious PowerShell script leverages a JavaScript-enabled button to trick users into copying the script to their clipboard.

Once executed, the script connects to a remote command-and-control server to download a malicious payload. 

Verification Steps
Verification Steps

It could be either the Lumma Stealer malware or an intermediary loader that ultimately drops the stealer onto the victim’s system.

The script’s primary goal is to steal sensitive information from the compromised machine.

The malicious script, initiated by the user, downloads a secondary PowerShell script from a GitHub repository.

This script communicates with a command-and-control server to retrieve the final Lumma Stealer payload disguised as a legitimate application named SysSetup.exe. 

After that, the payload is executed from a temporary directory, which may leave sensitive user data and system functions vulnerable to security breaches.

Download and execute additional PowerShell scripts. 
Download and execute additional PowerShell scripts. 

Recent data reveals a significant surge in fake Captcha campaigns, with Italy, Argentina, France, Spain, and Brazil experiencing the highest impact.

Over the past four weeks, these attacks have targeted millions of unique users worldwide. 

The heatmap illustrates the geographical spread of these campaigns, highlighting the regions most vulnerable to such malicious activities, underscoring the escalating threat posed by fake Captcha attacks and the urgent need for robust countermeasures.

The provided Indicators of Compromise (IoCs) reveal a malicious campaign that deploys the Lumma Stealer malware using a GitHub-based command-and-control (C&C) server and a PowerShell script. 

According to Gen Digital, to protect against such threats, users should exercise caution when dealing with unsolicited emails, avoid executing unknown scripts, enable two-factor authentication, and employ a reputable antivirus solution to detect and prevent malware infections.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...