- Phishing campaign mimics CAPTCHA to deliver hidden malware commands
- PowerShell command hidden in verification leads to Lumma Stealer attack
- Educating users on phishing tactics is key to preventing such attacks
CloudSek has uncovered a sophisticated method for distributing the Lumma Stealer malware which poses a serious threat to Windows users.
This technique relies on deceptive human verification pages that trick users into unwittingly executing harmful commands.
While the campaign primarily focuses on spreading the Lumma Stealer malware, its methodology could potentially be adapted to deliver a wide variety of other malicious software.
How the phishing campaign works
The campaign employs trusted platforms such as Amazon S3 and various Content Delivery Networks (CDNs) to host phishing sites, utilizing modular malware delivery where the initial executable downloads additional components or modules, thereby complicating detection and analysis efforts.
The infection chain in this phishing campaign begins with threat actors luring victims to phishing websites that mimic legitimate Google CAPTCHA verification pages. These pages are presented as a necessary identity verification step, tricking users into believing they are completing a standard security check.
The attack takes a more deceptive turn once the user clicks the “Verify” button. Behind the scenes, a hidden JavaScript function activates, copying a base64-encoded PowerShell command onto the user’s clipboard without their knowledge. The phishing page then instructs the user to perform an unusual series of steps, such as opening the Run dialog box (Win+R) and pasting the copied command. These instructions, once followed, cause the PowerShell command to be executed in a hidden window, which is invisible to the user, making detection by the victim almost impossible.
The hidden PowerShell command is the crux of the attack. It connects to a remote server to download additional content such as a text file (a.txt) containing instructions for retrieving and executing the Lumma Stealer malware. Once this malware is installed on the system, it establishes connections with attacker-controlled domains. This allows attackers to compromise the system, steal sensitive data, and potentially launch further malicious activities.
To guard against this phishing campaign, both users and organizations must prioritize security awareness and implement proactive defences. A critical first step is user education.
The deceptive nature of these attacks – disguised as legitimate verification processes – shows the importance of informing users about the dangers of following suspicious prompts, especially when asked to copy and paste unknown commands. Users need to be trained to recognize phishing tactics and question unexpected CAPTCHA verifications or unfamiliar instructions that involve running system commands.
In addition to education, deploying robust endpoint protection is essential for defending against PowerShell-based attacks. Since attackers in this campaign rely heavily on PowerShell to execute malicious code, organizations should ensure that their security solutions are capable of detecting and blocking these activities. Advanced endpoint protection tools with behavioural analysis and real-time monitoring can detect unusual command executions, helping to prevent the malware from being downloaded and installed.
Organizations should also take a proactive approach by monitoring network traffic for suspicious activity. Security teams need to pay close attention to connections with newly registered or uncommon domains, which are often used by attackers to distribute malware or steal sensitive data.
Finally, keeping systems updated with the latest patches is a crucial defense mechanism. Regular updates ensure that known vulnerabilities are addressed, limiting the opportunity for attackers to exploit outdated software in their efforts to distribute malware like Lumma Stealer.
“This new tactic is particularly dangerous because it plays on users’ trust in widely recognized CAPTCHA verifications, which they encounter regularly online. By disguising malicious activity behind what seems like a routine security check, attackers can easily trick users into executing harmful commands on their systems. What’s more concerning is that this technique, currently distributing the Lumma Stealer, could be adapted to spread other types of malware, making it a highly versatile and evolving threat,” said Anshuman Das, Security Researcher at CloudSEK.
