Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Lumma Stealer. Show all posts
Online Security
CAPTCHA Lumma Stealer Malicious Campaign malware Online Security

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

 

Attackers are increasingly spreading malware using a unique method: a fake CAPTCHA as the initial infection vector. Researchers from multiple companies reported on this campaign in August and September. The attackers, who mainly targeted gamers, first transmitted the Lumma stealer to victims via websites hosting cracked games.

The recent adware research shows that this malicious CAPTCHA is spreading through a wide range of online resources unrelated to gaming, including adult sites, file-sharing services, betting platforms, anime resources, and web apps that monetise traffic. This shows that the distribution network is being expanded to reach a larger pool of victims. Furthermore, we discovered that the CAPTCHA distributes both Lumma and the Amadey Trojan. 

Malicious CAPTCHA

It's critical to comprehend how the attackers and their distribution network function in order to prevent falling for their tricks. Legitimate, non-malicious offers are also included in the ad network that pushes pages with the malicious CAPTCHA. 

It works as follows: the user is redirected to additional resources when they click anywhere on a page that uses the ad module. As is common with adware, the majority of redirects take users to websites that advertise security software, ad blockers, and similar products. Sometimes, though, the victim is directed to a page that contains the malicious CAPTCHA. 

Unlike genuine CAPTCHAs, which are intended to safeguard websites from bots, this copycat promotes illicit resources. As with the previous stage, the victim does not always come across malware. For example, the CAPTCHA on one of the sites invites the visitor to scan a QR code, which leads to a betting site. 

The Trojans are distributed using CAPTCHAs that provide instructions. By clicking the "I'm not a robot" button, you can copy the powershell line.exe -eC bQBzAGgAdABhA <...>MAIgA= to the clipboard and displays the following "verification steps": 

  • To open the Run dialogue box, use Win + R. 
  • Subsequently, paste the clipboard line into the text field using CTRL + V. 
  • Finally, press Enter to execute the code. 

Payload: Amadey trojan

Researchers have discovered that the same effort is also propagating the Amadey Trojan. Since 2018, Amadey has been the subject of multiple security reports. In short, the Trojan downloads multiple modules that steal credentials from major browsers and Virtual Network Computing (VNC) systems. 

It also detects cryptocurrency wallet addresses in the clipboard and replaces them with those owned by the attackers. One of the modules can also capture screenshots. In some cases, Amadey downloads the Remcos remote access tool to the victim's device, allowing the attackers complete control over it. 

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. According to Kaspersky's telemetry data, more than 20,000 of these 140,000 users were routed to infected sites, where some encountered a phoney update notification or a fake CAPTCHA. Users from Brazil, Spain, Italy, and Russia were the most commonly affected.
Read more »
Web
Browsing CAPTCHA Internet Lumma Stealer malware Web

Lumma Stealer Uses Fake CAPTCHA Pages to Distribute Malware

Lumma Stealer Uses Fake CAPTCHA Pages to Distribute Malware

Cyber security professionals are warning about a new cyber-attack vector: Lumma Stealer malware that uses fake CAPTCHA tests to spread malware on Windows devices. Users are advised to maintain caution when filling out a CAPTCHA challenge. 

“We have identified more active malicious sites spreading the Lumma Stealer. It's important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users,” say experts from Cloud SEK.

How does CAPTCHA work?

A CAPTCHA traditionally works as a security checkpoint, making sure that online activities are started by humans and not automated bots. However, hackers are misusing the CAPTCHA for malicious gains, creating a fake CAPTCHA challenge. When a user completes it, the CAPTCHA deploys a series of malicious commands.

The fake CAPTCHA tests ask request users to press a sequence that many users think is harmless. But, doing so starts the download and activation of a Power Shell script that installs the Lumma Stealer malware.

Cybersecurity experts from Palo Alto Networks believe Lumma Stealer is an information-stealing malware used for stealing data- passwords, cookies, and cryptocurrency wallet credentials. If the malware is present on a compromised device, it exposes users to major risks of financial fraud, cyberattacks, and identity theft.

The malicious CAPTCHA has massive scale distribution, experts at Hudson Rock noticed that if a user visits compromised websites, it automatically copies the malicious script to a user's clipboard. This can increase the chances of automatic triggering of an attack.

Additionally, experts have noticed an increase in this kind of attack, meaning cybercriminals are improving and implementing their attack tactics. These fake CAPTCHA tests can be spread via phishing emails and messages, which makes them a threat.

Users can follow these steps to minimize the risks of fake CAPTCHA threats

Check URLs: Make sure the site is authentic before interacting with any CAPTCHA.

Keep systems updated: Updated OS, browsers, and antivirus software can increase your security.

Stay cautious with CAPTCHA: Stay safe from any CAPTCHA test that requests any action beyond selecting images and text input.

Follow safe browsing hygiene: Do not click links or attachments from unknown messages or emails.

Read more »
Subscribe to: Posts (Atom)