Cybersecurity researchers have uncovered a widespread phishing marketing campaign that makes use of pretend CAPTCHA photographs shared by way of PDF paperwork hosted on Webflow’s content material supply community (CDN) to ship the Lumma stealer malware.
Netskope Risk Labs mentioned it found 260 distinctive domains internet hosting 5,000 phishing PDF recordsdata that redirect victims to malicious web sites.
“The attacker makes use of search engine marketing to trick victims into visiting the pages by clicking on malicious search engine outcomes,” safety researcher Jan Michael Alcantara mentioned in a report shared with The Hacker Information.
“Whereas most phishing pages deal with stealing bank card info, some PDF recordsdata comprise pretend CAPTCHAs that trick victims into executing malicious PowerShell instructions, in the end resulting in the Lumma Stealer malware.”
The phishing marketing campaign is estimated to have affected greater than 1,150 organizations and greater than 7,000 customers for the reason that second half of 2024, with the assaults primarily singling out victims in North America, Asia, and Southern Europe throughout expertise, monetary companies, and manufacturing sectors.
Of the 260 domains recognized to host the pretend PDFs, a majority of them are associated to Webflow, adopted by these associated to GoDaddy, Strikingly, Wix, and Fastly.
Attackers have additionally been noticed importing among the PDF recordsdata to authentic on-line libraries and PDF repositories like PDFCOFFEE, PDF4PRO, PDFBean, and Web Archive, such that customers trying to find PDF paperwork on search engines like google and yahoo are directed to them.
The PDFs comprise fraudulent CAPTCHA photographs that act as a conduit to steal bank card info. Alternatively, these distributing Lumma Stealer comprise photographs to obtain the doc that, when clicked, takes the sufferer to a malicious website.
For its half, the positioning masquerades as a pretend CAPTCHA verification web page that employs the ClickFix method to deceive the sufferer into working an MSHTA command that executes the stealer malware by the use of a PowerShell script.
In latest weeks, Lumma Stealer has additionally been disguised as Roblox video games and a cracked model of the Complete Commander software for Home windows, highlighting the myriad supply mechanisms adopted by numerous menace actors. Customers are redirected to those web sites by YouTube movies doubtless uploaded from beforehand compromised accounts.
“Malicious hyperlinks and contaminated recordsdata are sometimes disguised in [YouTube] movies, feedback, or descriptions,” Silent Push mentioned. “Exercising warning and being skeptical of unverified sources when interacting with YouTube content material, particularly when prompted to obtain or click on on hyperlinks, can assist defend in opposition to these rising threats.”
The cybersecurity firm additional discovered that Lumma Stealer logs are being shared at no cost on a comparatively new hacking discussion board referred to as Leaky[.]professional that went operational in late December 2024.
Lumma Stealer is a fully-featured crimeware resolution that is supplied on the market below the malware-as-a-service (MaaS) mannequin, giving a method for cybercriminals to reap a variety of knowledge from compromised Home windows hosts. In early 2024, the malware operators introduced an integration with a Golang-based proxy malware named GhostSocks.
“The addition of a SOCKS5 backconnect characteristic to current Lumma infections, or any malware for that matter, is extremely profitable for menace actors,” Infrawatch mentioned.
“By leveraging victims’ web connections, attackers can bypass geographic restrictions and IP-based integrity checks, notably these enforced by monetary establishments and different high-value targets. This functionality considerably will increase the likelihood of success for unauthorized entry makes an attempt utilizing credentials harvested by way of infostealer logs, additional enhancing the post-exploitation worth of Lumma infections.”
The disclosures come as stealer malware like Vidar and Atomic macOS Stealer (AMOS) are being distributed utilizing the ClickFix methodology by way of lures for the DeepSeek synthetic intelligence (AI) chatbot, based on Zscaler ThreatLabz and eSentire.
Phishing assaults have additionally been noticed abusing a JavaScript obfuscation methodology that makes use of invisible Unicode characters to symbolize binary values, a method that was first documented in October 2024.
The strategy entails making use of Unicode filler characters, particularly Hangul half-width (U+FFA0) and Hangul full-width (U+3164), to symbolize the binary values 0 and 1, respectively, and changing every ASCII character within the JavaScript payload to their Hangul equivalents.
“The assaults had been extremely customized, together with private info, and the preliminary JavaScript would attempt to invoke a debugger breakpoint if it had been being analyzed, detect a delay, after which abort the assault by redirecting to a benign web site,” Juniper Risk Labs mentioned.