These fake human verification pages instruct users to run hidden commands to enable the downloading of the malware.
Lumma Stealer, a recently identified information-stealing malware, is being distributed to users via fake human verification pages. According to researchers at the cybersecurity firm CloudSEK, the malware is targeting Windows devices and is designed to steal sensitive information from the infected device. Concerningly, researchers have discovered multiple phishing websites which are deploying these fake verification pages to trick users into downloading the malware. CloudSEK researchers have warned organisations to implement endpoint protection solutions and to train employees and users about this new social engineering tactic.
Lumma Stealer Malware Being Distributed Using New Phishing Technique
According to the CloudSEK report, multiple active websites were found to be spreading the Lumma Stealer malware. The technique was first discovered by Unit42 at Palo Alto Networks, a cybersecurity firm, but the scope of the distribution chain is now believed to be much larger than previously assumed.
The attackers have set up various malicious websites and have added a fake human verification system, resembling the Google Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) page. However, unlike the regular CAPTCHA page where users have to check a few boxes or perform similar pattern-based tasks to prove they are not a bot, the fake pages instruct the user to run some unusual commands.
In one instance, the researchers spotted a fake verification page asking users to execute a PowerShell script. PowerShell scripts contain a series of commands that can be executed in the Run dialog box. In this case, the commands were found to fetch the content from the a.txt file hosted on a remote server. This prompted a file to be downloaded and extracted on the Windows system, infecting it with Lumma Stealer.
The report also listed the malicious URLs which were spotted distributing the malware to unsuspecting users. However, this is not the full list and there might be more such websites carrying out the attack.
- hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
- hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
- hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
- hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
- hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html
- hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
- hxxps[://]newvideozones[.]click/veri[.]html
- hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html
- hxxps[://]newvideozones[.]click/veri[.]html
- hxxps[://]ofsetvideofre[.]click
The researchers also observed that content delivery networks (CDNs) were being used to spread these fake verification pages. Further, the attackers were spotted using base64 encoding and clipboard manipulation to evade demonstration. It is also possible to distribute other malware using the same technique, although such instances have not been seen so far.
Since the modus operandi of the attack is based on phishing techniques, no security patch can prevent devices from getting infected. However, there are some steps users and organisations can take to safeguard against the Lumma stealer malware.
As per the report, users and employees should be made aware of this phishing tactic to help them not fall for it. Additionally, organisations should implement and maintain reliable endpoint protection solutions to detect and block PowerShell-based attacks. Further, regularly updating and patching systems to reduce the vulnerabilities that Lumma Stealer malware can exploit should also help.