Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA pages to deliver the Lumma Stealer malware.

Lumma, a malware-as-a-service (MaaS) tool that has been active since at least 2022, is designed to steal sensitive information from infected systems.

The campaign has targeted victims across multiple countries, including Argentina, Colombia, the United States, and the Philippines, and spans industries such as healthcare, banking, marketing, and telecommunications, the latter being the most affected sector.

The attackers employ various delivery methods for Lumma Stealer, including cracked software, Discord’s Content Delivery Network (CDN), and malicious CAPTCHA pages.

The infection chain involves advanced techniques such as process hollowing and PowerShell one-liners to evade detection.

Researchers identified new payloads, websites using malvertising tactics, and open-source tools incorporated to bypass security controls.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Infection Chain and Social Engineering

The infection begins when victims are redirected to a fake CAPTCHA page that instructs them to perform specific actions outside their web browser.

These instructions include opening the Windows Run dialog (via Windows+R), pasting clipboard content (CTRL+V), and executing it by pressing ENTER.

This sequence triggers the next stage of the infection chain by downloading and executing malicious code on the victim’s machine.

By requiring user interaction outside the browser context, this method bypasses browser-based cybersecurity defenses.

The fake CAPTCHA mechanism uses JavaScript to add a malicious command to the clipboard.

This command exploits the mshta.exe Windows tool, a legitimate binary often abused in living-off-the-land (LOLBIN) attacks to download and execute an HTA file from a remote server.

The downloaded files often masquerade as benign file types (e.g., .mp3 or .accdb) but contain malicious JavaScript snippets.

Once executed, these snippets use PowerShell to decode base64-encoded data and execute further stages of the malware.

Payload Execution

The second stage involves a large obfuscated PowerShell script that performs operations like deobfuscating strings and decoding base64 data using XOR encryption with a predefined key.

This script ultimately executes another PowerShell script that bypasses Windows Antimalware Scan Interface (AMSI) protections by modifying memory associated with the “clr.dll” module.

This AMSI bypass prevents detection of the final payload, a Portable Executable (PE) file containing Lumma Stealer, which is loaded into memory and executed reflectively.

The attackers also use tools like Babel for additional obfuscation, making analysis more challenging.

Netskope researchers observed that some payloads included open-source AMSI bypass implementations, highlighting how attackers leverage publicly available tools to enhance evasion capabilities.

The Lumma Stealer campaign has demonstrated its adaptability by employing diverse delivery methods, payloads, and evasion techniques.

Its reliance on user interaction outside browsers adds complexity to detection efforts.

As Lumma Stealer continues to evolve within the MaaS ecosystem, its ability to exploit user interactions and abuse trusted system binaries poses significant challenges for cybersecurity defenses.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar