Lumma Stealer Malware Exploits Fake CAPTCHA Pages in Sophisticated Phishing Campaign

The Lumma Stealer malware is being distributed through a new and increasingly deceptive method: fake human verification pages. This sophisticated phishing campaign, primarily targeting Windows users, tricks individuals into running malicious PowerShell commands, leading to the theft of sensitive information. Discovered by Unit42 at Palo Alto Networks and further investigated by cybersecurity firm CloudSEK, this malware distribution technique highlights the evolving tactics used by cybercriminals to exploit unsuspecting victims.

Phishing Campaign Overview: How Lumma Stealer Infects Devices

This campaign uses fake Google CAPTCHA pages hosted on various platforms, including Content Delivery Networks (CDNs). Users are prompted to verify their humanity by clicking a button labeled "I'm not a robot." However, after clicking the button, they are asked to execute a series of commands that run a hidden PowerShell script.

The malicious script is copied to the user’s clipboard using JavaScript and, once pasted into the Run dialog (Win+R), the command fetches the Lumma Stealer malware from a remote server, compromising the user’s machine.

Technical Breakdown: How Lumma Stealer is Delivered

1. User Interaction: The user lands on a fake CAPTCHA page.
2. Phishing Prompt: The page instructs the user to paste a PowerShell command into the Run dialog box.
3. PowerShell Execution: The command, encoded in Base64, downloads the Lumma Stealer malware from a remote server.
4. Malware Activation: The Lumma Stealer is extracted and executed on the victim's system, establishing a connection with attacker-controlled domains.

This malware can steal sensitive information, including browser credentials, cryptocurrency wallets, and system data, posing a serious threat to individuals and organizations alike.

Security Experts Weigh In: The Growing Risk of PowerShell-Based Attacks

Cybersecurity experts emphasize the significant threat posed by PowerShell-based attacks. According to the 2024 Data Breach Investigations Report by Verizon, over 80% of malware attacks on Windows systems leverage PowerShell commands in some form, making it a favored tool for attackers to bypass traditional defenses.

Additionally, Vikram Thakur, Technical Director at Symantec, explains: “The use of PowerShell in malware campaigns is particularly dangerous because it operates within a legitimate system process, making it difficult for traditional antivirus solutions to detect. Attackers exploit this to their advantage, gaining control of victim systems while evading detection.”

Evasion Tactics: Advanced Techniques to Avoid Detection

The Lumma Stealer campaign incorporates several advanced evasion tactics:

• Base64 Encoding: The malicious PowerShell command is encoded to obfuscate its true purpose, making it harder for users and some security tools to identify the threat.
• Clipboard Manipulation: The phishing site uses JavaScript to place the malicious PowerShell command directly onto the user’s clipboard, tricking them into executing it.
• Use of Legitimate Platforms: Attackers are leveraging trusted platforms such as Amazon S3, Netlify, and CDN services, making it more challenging for security systems to block these malicious sites.

Potential for Wider Impact

While this campaign currently focuses on distributing Lumma Stealer, cybersecurity experts warn that the same techniques could be used to distribute other forms of malware, including ransomware or advanced persistent threats (APTs). The modular nature of the attack allows threat actors to adjust payloads based on their objectives, making this campaign particularly dangerous.

Notable Observations from the Campaign

• Malicious pages were hosted on a variety of platforms, including Amazon S3 buckets and CDN providers.
• The use of Base64 encoding and clipboard manipulation highlights the attackers’ sophisticated attempts to evade detection.
• Attackers could easily swap out Lumma Stealer for other types of malware, demonstrating the flexibility of this method.

Recommendations: How to Defend Against Lumma Stealer

To mitigate the risk of infection from this campaign, security experts recommend the following measures:

1. User Education: Educate employees and users about the risks of copying and pasting unknown commands, especially from suspicious websites.
2. Endpoint Protection: Implement robust endpoint protection solutions that can detect and block PowerShell-based attacks.
3. Network Monitoring: Monitor network traffic for unusual or suspicious connections, especially to newly registered or uncommon domains.
4. Regular System Updates: Ensure that all systems are updated and patched to minimize vulnerabilities that could be exploited by malware like Lumma Stealer.
5. Disable Unnecessary PowerShell Usage: Limit the use of PowerShell for administrative tasks only and monitor its use to prevent unauthorized scripts from executing.

Malicious URLs Involved in the Campaign

Several malicious URLs have been identified as part of this campaign:

• hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
• hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
• hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
• hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
• hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html
• hxxps[://]newvideozones[.]click/veri[.]html
• hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html

The Lumma Stealer malware campaign is a stark reminder of the evolving tactics used by cybercriminals to distribute malware. By exploiting fake CAPTCHA pages and using PowerShell-based attacks, these threat actors are able to bypass traditional defenses and compromise user systems. Organizations must remain vigilant, educate their users, and implement comprehensive security measures to defend against these types of sophisticated phishing attacks.