Full Report
Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer. "The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at
Analysis Summary
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information-stealing malware operating on a Malware-as-a-Service (MaaS) model. It is currently being distributed via a global campaign that abuses fake CAPTCHA verification pages to trick victims into executing malicious commands, which ultimately download and run the final payload.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Utilizes native Windows binaries like `mshta.exe`)
- Capabilities: Stealing sensitive information, bypassing security controls (AMSI), persistence through varied delivery mechanisms.
- First Seen: Not explicitly stated, but noted as "extremely active in the past months" relative to the article date.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Implied via compromised website directing to fake page)
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Initial lure via compromised site)
- TA0002 - Execution
- T1218 - Signed Binary Proxy Execution
- T1218.011 - `mshta.exe`
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Triggered via Run prompt command)
- T1059.001 - PowerShell
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied by payload unpacking/decoding)
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (AMSI Bypass)
## Functionality
### Core Capabilities
- **Execution via User Interaction:** Leverages social engineering to prompt victims to paste commands into the Windows Run dialog, executing malware outside the browser context to evade browser-based defenses.
- **Multi-Stage Payload Delivery:** Employs a chain involving an initial HTA file execution, followed by chained PowerShell scripts to ultimately load the Lumma payload.
- **AMSI Bypass:** Includes steps within the payload chain to actively bypass the Windows Antimalware Scan Interface (AMSI) for fileless execution.
### Advanced Features
- **Maas Model:** Operates as a service, allowing affiliates to leverage its capabilities.
- **Delivery Diversity:** Known to adapt delivery methods, including using fake CAPTCHA pages, redirecting from compromised sites, and utilizing password-protected archives distributed via counterfeit domains (impersonating Reddit, WeTransfer).
- **Past Variants:** Previous related techniques involved using Base64-encoded PowerShell scripts (known in the context of "ClickFix" and delivering Lumma).
## Indicators of Compromise
*Note: Specific hashes and IPs are not provided in the context, only general observed techniques.*
- File Hashes: [Not explicitly listed]
- File Names: [HTA file, PowerShell scripts (next-stage payloads)]
- Registry Keys: [Not explicitly listed]
- Network Indicators: [Remote server hosting HTA file download]
- Behavioral Indicators:
- Execution of `mshta.exe` with parameters to download remote content.
- Subsequent execution of PowerShell scripts showing AMSI evasion attempts.
- User prompts related to CAPTCHA verification leading to command line execution.
## Associated Threat Actors
- Threat actors utilizing the Lumma Stealer MaaS infrastructure. (No specific group names are definitively linked to *this specific* CAPTCHA campaign in the text, only the malware service itself).
## Detection Methods
- Signature-based detection: Detection on the known Lumma final payload.
- Behavioral detection: Monitoring for the unusual sequence of user interaction (copying commands) that results in `mshta.exe` downloading and executing HTA/PowerShell scripts.
- YARA rules: [Not explicitly listed]
## Mitigation Strategies
- Prevention measures: Educating users against executing commands sourced from external websites, even if presented as verification steps (like CAPTCHA).
- Hardening recommendations:
- Restricting execution rights for common scripting engines where possible.
- Ensuring robust Endpoint Detection and Response (EDR) solutions are in place to monitor and alert on `mshta.exe` execution anomalies and AMSI bypass attempts.
## Related Tools/Techniques
- **ClickFix/Clipboard Hijacker:** A previous iteration employing a similar social engineering technique to deploy Lumma using Base64-encoded PowerShell.
- **Vidar Stealer:** Mentioned as being distributed via a similar domain masquerading technique impersonating AnyDesk in early 2023.
- **Tycoon 2FA:** A PhaaS toolkit employing advanced anti-analysis and detection evasion techniques in phishing campaigns (different tool, similar focus on anti-analysis).