Malicious CAPTCHA delivers Lumma and Amadey Trojans

In recent months, cybersecurity researchers have observed an alarming trend where attackers are using fake CAPTCHA as a novel method to distribute malware, specifically targeting gamers and other online users. This new approach, identified in reports from August and September, involves the initial deployment of the Lumma stealer malware through websites that provide cracked games, subsequently expanding its reach to a variety of unrelated online platforms including adult sites, file-sharing services, betting platforms, and anime resources.

The research indicates that the attack vector is more robust than previously thought, with the malicious CAPTCHA now delivering both the Lumma stealer and the Amadey Trojan. The architecture of this malware distribution involves ad networks that incorporate both legitimate and malicious offers. When users click on these ad modules, they are often redirected to pages featuring the fake CAPTCHA or other deceptive content. In many cases, the clicks lead to typical adware practices, such as promoting security software, while some lead directly to the malicious CAPTCHA.

The counterfeit CAPTCHA prompts users with instructions that, upon execution, utilize PowerShell commands to download and launch malware. The scenarios include victims copying commands supposedly meant for verification and executing them in Windows’ Run dialog, enabling the installation of malicious payloads without the user’s awareness. In other scenarios, deceptive messages styled as browser error alerts also serve to execute similar malicious scripts.

Once the Lumma stealer is installed, it masquerades as the legitimate utility BitLocker To Go to gain access to the system, manipulating registry settings to facilitate its operations. This Trojan systematically searches for cryptocurrency wallet files, browser extensions, cookies, and password manager archives to extract sensitive information. The data siphoned off is then transmitted to the attackers, who can use this information for illicit financial gain.

Additionally, the same campaign has shown a resurgence in deploying the Amadey Trojan. Known for its credential-stealing capabilities, Amadey not only captures login details from popular browsers but also exploits clipboard functionality by replacing cryptocurrency addresses with those controlled by attackers. Some modules associated with Amadey enhance the attack by enabling remote access to the victim’s machine, heightening the risk of comprehensive data breaches.

Data analytics reveal that between September 22 and October 14, 2024, over 140,000 users encountered these malicious ads, with more than 20,000 individuals being redirected to infected sites and potentially exposed to the fake CAPTCHA. The most impacted regions include Brazil, Spain, Italy, and Russia, highlighting a significant global spread of the campaign.

This malicious distribution strategy underscores the vulnerabilities within ad networks, which can be easily infiltrated by cybercriminals. By purchasing ad slots, attackers can redirect users, effectively leveraging trusted elements like CAPTCHA to execute harmful actions. The integration of the legitimate BitLocker utility by the Lumma stealer exemplifies a concerning tactic that blurs the lines between trust and deception in malware operations.

The implications of this threat are serious not only for individual users but also for organizations relying on web security. Cybercriminals effectively exploit user trust towards familiar online elements to facilitate infections, and they financially benefit from both data theft and misleading website traffic. This dual approach of credential theft and manipulating online store views presents a sophisticated method of enriching operators while compromising victims’ security.

In conclusion, understanding the mechanisms of this malware campaign is crucial to developing effective defenses. Awareness of how attackers manipulate trusted web practices, alongside vigilance when interacting with online advertisements, can help mitigate the risks posed by such threats. As the cyber landscape evolves, so too must the approaches used to protect against these sophisticated malicious strategies.