New Infostealer: FAKE CAPTCHA and Human Verification (Novel Lumma Malware); Detection, Prevention, and Incident Response.

A deceptive CAPTCHA test that seems harmless but is designed to trick Windows users into installing info-stealing malware.

This week, a friend of mine encountered a seemingly legitimate CAPTCHA Human Verification while browsing the internet. What appeared to be a routine verification was actually a sophisticated mechanism to distribute Lumma malware, a new and dangerous infostealer targeting sensitive data.

This article will delve into the technical details of how the Lumma malware operates, its distribution mechanisms, and the steps users can take to safeguard themselves.

Anatomy of the Attack

Step 1: The Fake CAPTCHA

The attack begins with a fake CAPTCHA prompt designed to trick users into thinking they are verifying their humanity. This social engineering tactic leverages the commonality of CAPTCHAs across the web, ensuring that the prompt does not raise suspicion.

Key Features of the Fake CAPTCHA:

• Visual Design: The prompt mimics legitimate CAPTCHA services with a polished design.
• Dynamic Behavior: Interaction with the prompt initiates the download of a malicious payload.
• Browser-Specific Hooks: The prompt may adapt based on the user’s browser or device to maximize compatibility.

Step 2: Malware Delivery

Once the user interacts with the fake CAPTCHA, they unknowingly download a file masquerading as a harmless application. This file often comes in the form of:

• Compressed Archives: ZIP or RAR files containing executables.
• Installer Packages: Pretending to be software updates or necessary tools.
• Technical Details of the Payload:
• File Name Patterns: Commonly uses generic or enticing names like update_tool.exe or captcha_check.exe.
• File Type: Executable files that appear benign but are embedded with malicious code.

Step 3: Execution and Data Exfiltration

Upon execution, the Lumma malware begins its primary operation: stealing sensitive information.

Capabilities of Lumma Malware:

Credential Harvesting:

• Steals login credentials stored in browsers.
• Targets email clients and FTP applications.

Cryptocurrency Theft:

• Monitors clipboard activity for wallet addresses.
• Replaces wallet addresses with those controlled by the attackers.

System Reconnaissance:

• Gathers system information, including IP address and hardware details.

Exfiltration:

• Sends the stolen data to remote command-and-control (C2) servers via encrypted channels.

Detection and Mitigation

How to Identify the Threat

Behavioral Indicators:

• Unexpected CAPTCHA prompts on unrelated websites.
• Unfamiliar downloads triggered after interacting with web elements.

File Analysis:

• Use antivirus tools to scan downloaded files, in this case we used Malwarebytes to scan and detect the trojan agents and quarantine the infected file.
• Check for anomalous behavior during file execution, according to my friend he experienced an unexpected disruption in network connectivity making him unable to connect to the internet until he restarted his device.

INCIDENT RESPONSE: What to Do When You've Downloaded the Lumma Malware?

If you suspect that you've inadvertently downloaded the Lumma malware, it's crucial to act quickly and methodically to minimize the impact of the attack.

Here's my suggested step-by-step guide on how to proceed:

1. Backup All Important Files to the Cloud
If the malware contains ransomware or other destructive payloads, it may target and encrypt files on your local machine.

• Upload important files, such as documents, photos, and other critical data, to a cloud storage service. This will allow you to restore your files later if they are compromised.

2. Change All Passwords on Social Media and Bank Accounts
Since Lumma malware is designed to harvest login credentials, it's critical to change the passwords for your social media, banking, and email accounts,** especially if these passwords were saved in your browser.**

• Use a different (like your smart phone with a sms MFA method), trusted device to change all of your passwords, ensuring that your current device (which may be compromised) cannot intercept these changes. Enable two-factor authentication (2FA) on all accounts where possible to add an extra layer of security.

3. Stay Calm and Composed
Panicking can cloud your judgment and lead to more mistakes. Handling the situation calmly will allow you to follow the necessary steps to contain the infection.

• Focus on isolating the compromised device to prevent further spread of the malware. If you are not backing up your important local files, you should disconnect the infected device from the internet and any other devices it may be connected to such as external hard disk drives or flash drives (USB Drives).

Reformat your device (if necessary)

If the malware remains persistent and cannot be removed, it may be necessary to wipe your system and perform a fresh installation of your operating system.

In my suggestion to my friend, I advised him to let me reformat his laptop for added safety and peace of mind.

• In the first step, in any events of security breaches always back up essential files (but avoid backing up any files that may be infected), then perform a factory reset or reinstall the operating system to ensure the malware is completely eradicated.

*How to reformat your device? *

1. Open Settings
2. Select System
3. Select Recovery
4. Select Reset this PC
5. Choose Remove everything to erase all data
6. Select Change settings to clean the drive
7. Turn on the Clean data and Download Windows options
8. Click Confirm
9. Click Reset to confirm the reset
10. Follow the on-screen instructions

Remember to back-up all of your important files before doing this.

Preventive Measures

User Awareness:

• Be cautious when encountering CAPTCHAs outside well-known platforms.
• Avoid downloading files unless absolutely certain of their source.

Technical Safeguards:

• Enable browser extensions to block malicious scripts.
• Deploy endpoint protection solutions capable of detecting infostealers.

Network Security:

• Monitor network traffic for unusual patterns.
• Implement DNS filtering to block known malicious domains.

Regular Updates:

• Keep browsers, plugins, and operating systems up to date.

Prevention is better than cure!

It is easier to prevent an attack while it's still outside of our system/environment

The Lumma malware demonstrates how threat actors leverage seemingly benign elements, like CAPTCHA prompts, to execute sophisticated attacks.

By understanding the tactics employed by such threats, users and organizations can strengthen their defenses against them.

Prevention is always better than cure. Staying vigilant and proactive security measures and preparation can significantly reduce the likelihood of falling victim to such attacks. Regularly updating software, practicing safe browsing habits, and using comprehensive security solutions are key to protect your personal data and devices from novel threats.

Stay vigilant and you may share this information to help protect others from falling victim to similar schemes.