In January, Netskope Risk Labs uncovered a classy world malware marketing campaign leveraging pretend CAPTCHA pages to ship the Lumma Stealer malware.
Lumma, a malware-as-a-service (MaaS) software that has been energetic since at the very least 2022, is designed to steal delicate data from contaminated programs.
The marketing campaign has focused victims throughout a number of nations, together with Argentina, Colombia, america, and the Philippines, and spans industries reminiscent of healthcare, banking, advertising, and telecommunications, the latter being essentially the most affected sector.
The attackers make use of numerous supply strategies for Lumma Stealer, together with cracked software program, Discord’s Content material Supply Community (CDN), and malicious CAPTCHA pages.
The an infection chain includes superior strategies reminiscent of course of hollowing and PowerShell one-liners to evade detection.
Researchers recognized new payloads, web sites utilizing malvertising techniques, and open-source instruments integrated to bypass safety controls.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Attempt for Free
An infection Chain and Social Engineering
The an infection begins when victims are redirected to a pretend CAPTCHA web page that instructs them to carry out particular actions exterior their net browser.
These directions embrace opening the Home windows Run dialog (through Home windows+R), pasting clipboard content material (CTRL+V), and executing it by urgent ENTER.
This sequence triggers the subsequent stage of the an infection chain by downloading and executing malicious code on the sufferer’s machine.
By requiring person interplay exterior the browser context, this technique bypasses browser-based cybersecurity defenses.
The pretend CAPTCHA mechanism makes use of JavaScript so as to add a malicious command to the clipboard.
This command exploits the mshta.exe Home windows software, a authentic binary typically abused in living-off-the-land (LOLBIN) assaults to obtain and execute an HTA file from a distant server.
The downloaded recordsdata typically masquerade as benign file varieties (e.g., .mp3 or .accdb) however comprise malicious JavaScript snippets.
As soon as executed, these snippets use PowerShell to decode base64-encoded knowledge and execute additional levels of the malware.
Payload Execution
The second stage includes a big obfuscated PowerShell script that performs operations like deobfuscating strings and decoding base64 knowledge utilizing XOR encryption with a predefined key.
This script finally executes one other PowerShell script that bypasses Home windows Antimalware Scan Interface (AMSI) protections by modifying reminiscence related to the “clr.dll” module.
This AMSI bypass prevents detection of the ultimate payload, a Moveable Executable (PE) file containing Lumma Stealer, which is loaded into reminiscence and executed reflectively.
The attackers additionally use instruments like Babel for extra obfuscation, making evaluation tougher.
Netskope researchers noticed that some payloads included open-source AMSI bypass implementations, highlighting how attackers leverage publicly out there instruments to reinforce evasion capabilities.
The Lumma Stealer marketing campaign has demonstrated its adaptability by using various supply strategies, payloads, and evasion strategies.
Its reliance on person interplay exterior browsers provides complexity to detection efforts.
As Lumma Stealer continues to evolve throughout the MaaS ecosystem, its means to use person interactions and abuse trusted system binaries poses vital challenges for cybersecurity defenses.
Integrating Software Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar