Malware

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA pages to deliver the Lumma Stealer malware.

Lumma, a malware-as-a-service (MaaS) tool that has been active since at least 2022, is designed to steal sensitive information from infected systems.

The campaign has targeted victims across multiple countries, including Argentina, Colombia, the United States, and the Philippines, and spans industries such as healthcare, banking, marketing, and telecommunications, the latter being the most affected sector.

The attackers employ various delivery methods for Lumma Stealer, including cracked software, Discord’s Content Delivery Network (CDN), and malicious CAPTCHA pages.

The infection chain involves advanced techniques such as process hollowing and PowerShell one-liners to evade detection.

Researchers identified new payloads, websites using malvertising tactics, and open-source tools incorporated to bypass security controls.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Infection Chain and Social Engineering

The infection begins when victims are redirected to a fake CAPTCHA page that instructs them to perform specific actions outside their web browser.

Fake CAPTCHA instruction

These instructions include opening the Windows Run dialog (via Windows+R), pasting clipboard content (CTRL+V), and executing it by pressing ENTER.

This sequence triggers the next stage of the infection chain by downloading and executing malicious code on the victim’s machine.

By requiring user interaction outside the browser context, this method bypasses browser-based cybersecurity defenses.

The fake CAPTCHA mechanism uses JavaScript to add a malicious command to the clipboard.

Example of the malicious command in the Run window

This command exploits the mshta.exe Windows tool, a legitimate binary often abused in living-off-the-land (LOLBIN) attacks to download and execute an HTA file from a remote server.

The downloaded files often masquerade as benign file types (e.g., .mp3 or .accdb) but contain malicious JavaScript snippets.

Once executed, these snippets use PowerShell to decode base64-encoded data and execute further stages of the malware.

Payload Execution

The second stage involves a large obfuscated PowerShell script that performs operations like deobfuscating strings and decoding base64 data using XOR encryption with a predefined key.

This script ultimately executes another PowerShell script that bypasses Windows Antimalware Scan Interface (AMSI) protections by modifying memory associated with the “clr.dll” module.

This AMSI bypass prevents detection of the final payload, a Portable Executable (PE) file containing Lumma Stealer, which is loaded into memory and executed reflectively.

The attackers also use tools like Babel for additional obfuscation, making analysis more challenging.

Netskope researchers observed that some payloads included open-source AMSI bypass implementations, highlighting how attackers leverage publicly available tools to enhance evasion capabilities.

The Lumma Stealer campaign has demonstrated its adaptability by employing diverse delivery methods, payloads, and evasion techniques.

Its reliance on user interaction outside browsers adds complexity to detection efforts.

As Lumma Stealer continues to evolve within the MaaS ecosystem, its ability to exploit user interactions and abuse trusted system binaries poses significant challenges for cybersecurity defenses.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick to…

2 days ago

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using compromised…

2 days ago

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign targeting…

2 days ago

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global companies,…

2 days ago

REF7707 Hackers Target Windows & Linux Systems with FINALDRAFT Malware

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across…

2 days ago

NVIDIA Container Toolkit Vulnerable to Code Execution Attacks

NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in the…

2 days ago