Lumma Stealer Malware Being Spread to Windows Devices via Fake Human Verification Pages, CloudSEK Says

These fake human verification pages instruct users to run hidden commands to enable the downloading of the malware.

Written by Akash Dutta, Edited by Siddharth Suvarna | Updated: 19 September 2024 17:13 IST

Highlights

Content Delivery Networks (CDNs) are being used to trick users
Lumma Stealer is an information-stealing malware
Researchers have found many phishing websites distributing the malware

Lumma Stealer Malware Being Spread to Windows Devices via Fake Human Verification Pages, CloudSEK Says

So far Lumma Stealer is the only malware known to be using this method

Photo Credit: Pexels/Sora Shimazaki

Lumma Stealer, a recently identified information-stealing malware, is being distributed to users via fake human verification pages. According to researchers at the cybersecurity firm CloudSEK, the malware is targeting Windows devices and is designed to steal sensitive information from the infected device. Concerningly, researchers have discovered multiple phishing websites which are deploying these fake verification pages to trick users into downloading the malware. CloudSEK researchers have warned organisations to implement endpoint protection solutions and to train employees and users about this new social engineering tactic.

Lumma Stealer Malware Being Distributed Using New Phishing Technique

According to the CloudSEK report, multiple active websites were found to be spreading the Lumma Stealer malware. The technique was first discovered by Unit42 at Palo Alto Networks, a cybersecurity firm, but the scope of the distribution chain is now believed to be much larger than previously assumed.

The attackers have set up various malicious websites and have added a fake human verification system, resembling the Google Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) page. However, unlike the regular CAPTCHA page where users have to check a few boxes or perform similar pattern-based tasks to prove they are not a bot, the fake pages instruct the user to run some unusual commands.

How Clipper Malware Targets Crypto Wallets: Details

In one instance, the researchers spotted a fake verification page asking users to execute a PowerShell script. PowerShell scripts contain a series of commands that can be executed in the Run dialog box. In this case, the commands were found to fetch the content from the a.txt file hosted on a remote server. This prompted a file to be downloaded and extracted on the Windows system, infecting it with Lumma Stealer.

The report also listed the malicious URLs which were spotted distributing the malware to unsuspecting users. However, this is not the full list and there might be more such websites carrying out the attack.

hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html

hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html

hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html

hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html

hxxps[://]pub-9c4ec7f3f95c448b85e464d2b533aac1[.]r2[.]dev/human-verify-system[.]html

hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html

hxxps[://]newvideozones[.]click/veri[.]html

hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html

hxxps[://]newvideozones[.]click/veri[.]html

hxxps[://]ofsetvideofre[.]click

The researchers also observed that content delivery networks (CDNs) were being used to spread these fake verification pages. Further, the attackers were spotted using base64 encoding and clipboard manipulation to evade demonstration. It is also possible to distribute other malware using the same technique, although such instances have not been seen so far.

Google Might Soon Let You 'Rescan' Flagged Apps on Your Android Phone

Since the modus operandi of the attack is based on phishing techniques, no security patch can prevent devices from getting infected. However, there are some steps users and organisations can take to safeguard against the Lumma stealer malware.

Telegram Vulnerability Lets Hackers Send Malware as Videos: Report

As per the report, users and employees should be made aware of this phishing tactic to help them not fall for it. Additionally, organisations should implement and maintain reliable endpoint protection solutions to detect and block PowerShell-based attacks. Further, regularly updating and patching systems to reduce the vulnerabilities that Lumma Stealer malware can exploit should also help.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.