Recent investigations have uncovered a concerning infection chain leveraging fake CAPTCHA pages to distribute malware, particularly Lumma Stealer. This campaign, observed by McAfee Labs and highlighted in findings from CloudSEK, targets users globally, illustrating the extensive reach of this attack method.<\/p>\n
The infection chain involves two primary vectors leading users to fake CAPTCHA pages:<\/p>\n
1. Cracked Game Download URLs:<\/strong> Users seeking pirated games are redirected to malicious CAPTCHA pages.<\/p>\n 2. Phishing Emails:<\/strong> Users, especially those associated with GitHub, receive emails urging them to address a fictitious “security vulnerability” in a repository, directing them to harmful URLs.<\/p>\n The ClickFix infection chain deceives users into clicking buttons like \u201cVerify you are a human.\u201d Once clicked, a malicious script is copied to the clipboard, and users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method simplifies the infection process, enabling attackers to deploy malware seamlessly.<\/p>\n 1. Cracked Gaming Software Download URLs<\/strong><\/p>\n When users search for free or cracked versions of popular games, they often encounter links on online forums that redirect them to fake CAPTCHA pages.<\/p>\n For instance, a public Runkit notebook may host a malicious link, which leads to these harmful sites when accessed. After clicking the CAPTCHA button, a malicious PowerShell script is copied to the clipboard, prompting users to execute it.<\/p>\n The website utilises JavaScript to facilitate this action, employing Base64 encoding to obscure the script\u2019s content. Upon decoding, it is revealed that the script uses the mshta utility to execute embedded malicious scripts while ignoring the binary component of the file. This tactic allows the malware to go undetected, as it operates from common directories like the Temp folder.<\/p>\n 2. Phishing Emails Impersonating GitHub<\/strong><\/p>\n The second vector targets GitHub contributors with phishing emails claiming a \u201csecurity vulnerability.\u201d When users click the links, they are redirected to fake CAPTCHA pages where malicious scripts are executed in a similar manner. This script retrieves PowerShell commands that download Lumma Stealer samples from external servers, facilitating further compromise.<\/p>\n Lumma Stealer has emerged as a potent threat, specifically designed to harvest sensitive information from infected systems. Upon installation, it can extract credentials, personal data, and financial information, which can then be exploited by cybercriminals. The effectiveness of Lumma Stealer is heightened by its distribution method through fake CAPTCHA pages, making it easier for attackers to gain access to user systems.<\/p>\n To combat this infection chain and the associated Lumma Stealer malware, organisations should adopt a multi-faceted approach:<\/p>\n \u2022 URL Blocking:<\/strong> Prevent access to known fake CAPTCHA pages.<\/p>\n \u2022 Heuristic Blocking:<\/strong> Detect and block malicious uses of the mshta utility.<\/p>\n \u2022 User Education:<\/strong> Conduct regular training sessions to inform users about social engineering tactics and phishing schemes.<\/p>\n \u2022 Antivirus and Anti-Malware Software:<\/strong> Ensure up-to-date software is installed on all endpoints.<\/p>\n \u2022 Email Filtering:<\/strong> Implement robust filters to block phishing emails and malicious attachments.<\/p>\n \u2022 Network Segmentation:<\/strong> Limit the spread of malware within the organisation by segmenting the network.<\/p>\n \u2022 Patch Management:<\/strong> Keep all operating systems, software, and applications updated with the latest security patches.<\/p>\n \u2022 Avoiding Untrusted Downloads:<\/strong> Educate users to avoid downloading cracked software or visiting suspicious websites.<\/p>\n \u2022 Verifying URLs:<\/strong> Encourage users to verify URLs in emails, especially from unknown or unexpected sources.<\/p>\n \u2022 Monitoring:<\/strong> Regularly check the Temp folder for unusual or suspicious files.<\/p>\n The ClickFix infection chain and Lumma Stealer malware highlight how cybercriminals exploit common user behaviours, such as downloading cracked software or responding to phishing emails, to distribute malicious payloads. By leveraging fake CAPTCHA pages, attackers successfully deceive users into executing scripts that lead to malware installation.<\/p>\n To protect against these sophisticated threats, organisations should implement the recommended mitigations and maintain a proactive stance against evolving cyber risks.<\/p>\n Here are some IoCs associated with this threat:<\/p>\n Fake CAPTCHA Websites<\/strong><\/p>\n \u2022 Ofsetvideofre[.]click\/<\/p>\n \u2022 Newvideozones[.]click\/veri[.]html<\/p>\n \u2022 Clickthistogo[.]com\/go\/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59<\/p>\n Malware Samples<\/strong><\/p>\n \u2022 SHA256:<\/p>\n By remaining vigilant and implementing these strategies, organisations can enhance their defences against the ClickFix infection chain and the threat of Lumma Stealer malware.<\/p>\n","protected":false},"excerpt":{"rendered":" Recent investigations have uncovered a concerning infection chain leveraging fake CAPTCHA pages to distribute malware, particularly Lumma Stealer. This campaign, observed by McAfee Labs and highlighted in findings from CloudSEK, targets users globally, illustrating the extensive reach of this attack method. Infection Vectors Identified The infection chain involves two primary vectors leading users to fake[\u2026] ReadThe ClickFix Mechanism<\/h4>\n
Detailed Attack Vectors<\/h4>\n
Lumma Stealer: The Malware Behind the Attack<\/h4>\n
Detection and Mitigation Strategies<\/h4>\n
Conclusion and Recommendations<\/h2>\n
Indicators of Compromise (IoCs)<\/h3>\n
\n