- Security researchers spot campaign to distribute Lumma Stealer malware
- A fake CAPTCHA page comes with a JavaScript that copies malicious code into the clipboard
- To “solve” the fake CAPTCHA, users are told to paste the code in CMD and run it
Fake CAPTCHA pages are being used to trick victims into downloading and running the Lumma infostealer malware.
Security researchers at Guardio Labs recently discovered a major malicious operation, targeting millions of people, called “DeceptionAds”.
The campaign abuses two legitimate services, the Monetag ad network and BeMob, a cloud-based performance tracking platform. It starts with fake ads, promoting things that appeal to the host site’s audience, such as fake offers, downloads, or different services – with pirate streaming and software platforms apparently among the most common themes.
Vane Viper
When the victim clicks on the ad, they are redirected to a fake CAPTCHA page through the BeMob cloaking service. This makes moderation difficult, since BeMob is a legitimate service, and as such, is not being removed from the Monetag ad network by default.
“By supplying a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag’s content moderation efforts,” Nati Tal, head of Guardio Labs, said in a writeup.
The CAPTCHA page comes with a piece of JavaScript code that copies a malicious PowerShell one-line command into the clipboard. However, the victim still needs to paste that code into the CMD and run it, which is where the CAPTCHA “solution” comes in. To solve the CAPTCHA, users are required to bring up the Windows Run dialog, press CTRL+V (paste), and hit enter.
This runs the command that downloads and executes Lumma Stealer. The group behind the attack is called Vane Viper.
Lumma is a popular infostealer in the underground community. It is capable of stealing a wide range of sensitive information , including cryptocurrency wallets, browser data, email credentials, financial information, FTP client data, and system information.
When Monetag and BeMob were notified of the campaign, both companies stepped in to address the issue. Monetag removed 200 accounts, while BeMob terminated the campaign in four days.
Via BleepingComputer
Leave a comment