- Security researchers detect a campaign to distribute Lumma Stealer malware
- Fake CAPTCHA page comes with JavaScript that copies malicious code to clipboard
- To “solve” the fake CAPTCHA, users are asked to paste the code into CMD and run it
Fake CAPTCHA pages are used to trick victims into downloading and running Lumma data-stealing malware.
Security researchers at Guardio Labs recently discovered a major malicious operation targeting millions of people, called “DeceptionAds.”
The campaign abuses two legitimate services, the Monetag ad network and BeMob, a cloud-based performance tracking platform. It starts with fake ads, which promote things that attract the host site’s audience, such as fake offers, downloads or different services, with pirated streaming and software platforms apparently among the most common topics.
paddle viper
When the victim clicks on the ad, they are redirected to a fake CAPTCHA page through the BeMob cloaking service. This makes moderation difficult as BeMob is a legitimate service and as such is not removed from the Monetag ad network by default.
“By providing a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers took advantage of BeMob’s reputation, complicating Monetag’s content moderation efforts,” Nati Tal said in an article. , director of Guardio Labs.
The CAPTCHA page comes with a JavaScript code snippet that copies a malicious one-line PowerShell command to the clipboard. However, the victim still needs to paste that code into the CMD and run it, which is where the CAPTCHA “fix” comes into play. To solve the CAPTCHA, users must open the Windows Run dialog box, press CTRL+V (paste) and press enter.
This runs the command that downloads and runs Lumma Stealer. The group behind the attack is called Vane Viper.
Lumma is a popular information thief in the underground community. It is capable of stealing a wide range of sensitive information including cryptocurrency wallets, browser data, email credentials, financial information, FTP client data, and system information.
When Monetag and BeMob were notified of the campaign, both companies stepped in to address the issue. Monetag removed 200 accounts, while BeMob ended the campaign within four days.
Through beepcomputer
