Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer.
“The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world,” Leandro Fróes, senior threat research engineer at Netskope Threat Labs, said in a report shared with The Hacker News.
“The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted.”
The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server.
It’s worth noting that a previous iteration of this technique, widely known as ClickFix, involved the execution of a Base64-encoded PowerShell script to trigger the Lumma Stealer infection.
The HTA file, in turn, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows Antimalware Scan Interface (AMSI) in an effort to evade detection.
“By downloading and executing malware in such ways, the attacker avoids browser-based defenses since the victim will perform all of the necessary steps outside of the browser context,” Fróes explained.
“The Lumma Stealer operates using the malware-as-a-service (MaaS) model and has been extremely active in the past months. By using different delivery methods and payloads it makes detection and blocking of such threats more complex, especially when abusing user interactions within the system.”
As recently as this month, Lumma has also been distributed via approximately 1,000 counterfeit domains impersonating Reddit and WeTransfer that redirect users to download password-protected archives.
These archive files contain an AutoIT dropper dubbed SelfAU3 Dropper that subsequently executes the stealer, according to Sekoia researcher crep1x. In early 2023, threat actors leveraged a similar technique to spin up over 1,300 domains masquerading as AnyDesk in order to push the Vidar Stealer malware.
The development comes as Barracuda Networks detailed an updated version of the Phishing-as-a-Service (PhaaS) toolkit known as Tycoon 2FA that includes advanced features to “obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”
These include the use of legitimate — possibly compromised — email accounts to send phishing emails and taking a series of steps to prevent analysis by detecting automated security scripts, listening for keystrokes that suggest web inspection, and disabling the right-click context menu.
Social engineering-oriented credential harvesting attacks have also been observed leveraging avatar provider Gravatar to mimic various legitimate services like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing fake profiles that mimic legitimate services, tricking users into divulging their credentials,” SlashNext Field CTO Stephen Kowski said.
“Instead of generic phishing attempts, attackers tailor their fake profiles to resemble the legitimate services they’re mimicking closely through services that are not often known or protected.”