Severity
High
Analysis Summary
A recent global malware campaign exploiting fake CAPTCHA verification pages has been identified as a delivery method for the Lumma information stealer, a malware-as-a-service (MaaS) operation.
According to the Researcher, this campaign which targets industries like healthcare, banking, marketing, and particularly telecom, uses compromised websites to direct victims to fake CAPTCHA pages. These pages instruct users to execute a command via the Windows Run prompt using the mshta.exe binary, initiating the download and execution of a malicious HTA file. This technique bypasses browser-based defenses as users are manipulated into executing the malicious steps manually outside the browser context.
The malicious HTA file triggers a multi-stage infection process. It executes a PowerShell command to download additional scripts including one that unpacks and loads the Lumma payload. The malware also employs sophisticated techniques to bypass the Windows Antimalware Scan Interface (AMSI) enhancing its ability to evade detection. This campaign builds on previously used methods, such as the ClickFix technique, which relied on Base64-encoded PowerShell scripts to deploy the Lumma Stealer. The campaign’s complexity, combined with its use of varied delivery methods and payloads, makes detection and mitigation particularly challenging.
Adding to the threat, Lumma has recently been spread via counterfeit domains impersonating legitimate platforms like Reddit and WeTransfer. These domains trick users into downloading password-protected archive files containing an AutoIT-based dropper named SelfAU3, which installs the stealer. Similar techniques were used earlier in 2023, when over 1,300 fake AnyDesk domains distributed the Vidar Stealer malware. This highlights the consistent evolution of delivery mechanisms employed by attackers to increase their reach and efficacy.
In parallel, an updated Phishing-as-a-Service toolkit, Tycoon 2FA, has emerged, employing advanced techniques to bypass security tools. It leverages compromised email accounts to distribute phishing emails and uses methods like detecting automated scripts and disabling right-click context menus to prevent analysis. Other social engineering attacks exploit Gravatar’s Profiles as a Service to mimic trusted platforms like AT&T, Proton Mail, and Comcast, creating convincing fake profiles to steal user credentials. Researchers said, together these developments underline the growing sophistication of threat actors and the need for enhanced vigilance and robust security measures.
Impact
- Sensitive Data Theft
- Security Bypass
- Gain Access
- Unauthorized Remote Access
Indicators of Compromise
MD5
edc1a96e3ac9d13654e1dcb4d7f6a37c
1d7d6cf1329fcc28d82778f4406d9245
e53474ed38d9da707eb7783b5478a2ec
380565ca4713bf766a6b7136f9d46382
83c30841c22491cc465206e3e26a5571
d5a675995c0e20c53991595252306b18
93b8729bbb1d413bfd44436d0c544116
a181e4f186f156cbb238984f8a5bf4e6
00317b9ff31f7aa93f7c7891e0202331
0ba2afe43cc4deed266354b1c2cfb5a7
82e5e8ec8e4e04f4d5808077f38752ba
SHA-256
7c9a3eabeb068763092fca08d072975c13a67bc37841d285a0d4c938db9fc77c
b6b40b5ea885c88c01dcf9e624f196a45653dca291dedbfc2cf1986e0e5bb80c
78fd8a550435256665bd6c86952410817faf63d4a6def28f9bae902650b5217e
4ba716e6555cdccb8eff7eba291fc9792af1e26b047cee77f4df93d8bac06397
b2f77faf3b345403275fb179fa0ac7de6f769e04c48b322afdeecfdfbab50f3c
4a4946f5dd56005d4b637b64113c8245aab78b19995d758d4857ca0ca6bcfc69
179e242265226557187b41ff81b7d4eebbe0d5fe5ff4d6a9cfffe32c83934a46
007969cf64583d251ed63eda2c365f6cbfd768f37d05e699415d166021b3e294
676550965b9ca97782aab492e2ab86d85c7350aaeeacae99493b14bbc81bd146
02a0bba5b3cc6a650d611c2f6d6a8ce6a696c230521f0de43824a19ced716acd
b94ddefd39d32a753564e6871d11750fa56b993cad3ea40955139e584ad3bef8
SHA1
94402729e186b52355a40c03636cd18193c7e904
1fbfd280080f8f5a30e71b14d86faba8d3d4c36a
68e418dbb58dadbf4d1b1cb2a391f02bb875faa6
5e66f117d81ebc27a0550dcb2981b8604f6bb2ba
8ab8d0d8479d6f8196c7f0e0a00944f30c67bd00
5b5b2a8cf55c79510ffaed04658a13fa35ae16b9
472e33f1cc16f33769bf58ad53d8fd76926d463e
58c4adc3d4a848ae10bc29cf97dc5a70efa4c939
411dd70cf03dcbdb83cb255d12ddb8469dc88bcc
7eb88057c40abd03bc9bcc0041e1927af7cbc7f5
1d9f4a9f2664d2d02cf667dff849d9869a35a1b9
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
- Block the execution of HTA files and restrict macros in email attachments and downloaded files.