Full Report
Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow's content delivery network (CDN) to deliver the Lumma stealer malware. Netskope Threat Labs said it discovered 260 unique domains hosting 5,000 phishing PDF files that redirect victims to malicious websites. "The attacker uses SEO to trick victims into
Analysis Summary
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is a fully-featured crimeware solution distributed via a Malware-as-a-Service (MaaS) model, designed to harvest a wide range of information from compromised Windows hosts. It has recently been seen distributed via a widespread phishing campaign utilizing fake CAPTCHA images in PDF documents, search engine optimization (SEO) poisoning, and the ClickFix technique to execute malicious PowerShell commands.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows
- Capabilities: Information theft from infected hosts, SOCKS5 proxy functionality via GhostSocks integration.
- First Seen: Information on the exact first appearance is not provided, but it was operating under a MaaS model and integrating with GhostSocks in early 2024.
## MITRE ATT&CK Mapping
The primary delivery and execution methods observed map to:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (via PDF lure)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0011 - Collection**
- T1119 - Automated Collection
- **TA0010 - Command and Control**
- T1071 - Application Layer Protocol (Implied C2 communication)
## Functionality
### Core Capabilities
- Harvesting a wide range of information from infected Windows hosts.
- Offered as a Malware-as-a-Service (MaaS).
### Advanced Features
- **GhostSocks Integration:** Integration with Golang-based proxy malware (GhostSocks) to add SOCKS5 backconnect functionality. This allows attackers to bypass geographic restrictions and IP-based integrity checks, notably those enforced by financial institutions, by leveraging the victim's internet connection for follow-on access.
## Indicators of Compromise
*Note: Specific IoCs for the Lumma Stealer binaries themselves are not provided in the context, only the delivery mechanism.*
- File Hashes: [Not provided in context]
- File Names: [Not provided in context, but delivered via PDF lures]
- Registry Keys: [Not provided in context]
- Network Indicators: C2 infrastructure details for Lumma Stealer are not explicitly listed and are therefore defanged.
- Behavioral Indicators: Execution of **MSHTA** commands leading to **PowerShell** script execution upon interaction with the fake CAPTCHA lure.
## Associated Threat Actors
Threat actors utilizing the MaaS model for Lumma Stealer, as well as groups observed in the recent phishing campaigns leveraging SEO, fake CAPTCHAs, and PDF lures.
## Detection Methods
- Signature-based detection: Applicable to known Lumma Stealer binaries.
- Behavioral detection: Monitoring for MSHTA executing PowerShell scripts in the context of user interaction with documents or fake verification pages.
- YARA rules: [Not available in context]
## Mitigation Strategies
- **User Education:** Skepticism towards unverified sources, particularly search engine results leading to unexpected documents or downloads. Caution regarding links in YouTube videos, comments, or descriptions.
- **Endpoint Protection:** Detect and block execution paths involving MSHTA spawning PowerShell, especially under unusual circumstances (e.g., triggered by a document interaction).
- **Network Filtering:** Block traffic to known malicious domains hosting phishing pages or PDF files.
## Related Tools/Techniques
- **ClickFix Technique:** Used to trick victims into running the MSHTA command after clicking on the CAPTCHA lure.
- **Other Stealers using ClickFix:** Vidar, Atomic macOS Stealer (AMOS) (observed using ClickFix with DeepSeek AI lures).
- **Delivery Lures:** Fake Roblox games, cracked Total Commander versions, YouTube video descriptions.
- **Obfuscation:** Phishing attacks also noted using an obfuscation method employing invisible Unicode characters (U+FFA0 and U+3164) to represent binary values (though this was noted in a separate, concurrent analysis).