New Lumma Stealer campaign using fake Captchas

A new malware campaign that leverages fake CAPTCHA verification checks to deliver Lumma Stealer has been observed. This campaign has targeted victims from around the world (Argentina, Colombia, U.S., Philippines etc.) and across various industries (such as financial institutions, healthcare, marketing and telecom organizations). The attack chain begins with the victim visiting a compromised website that directs them to a fake CAPTCHA page with instructions. The site visitor is prompted to copy/paste a command into the Windows Run prompt to download and execute an HTA file from a remote server. Once the HTA file executes a PowerShell command launches to run additional scripts resulting in decoding and loading the Lumma Stealer payload. This malware is a potent tool with advanced evasion techniques and data theft mechanisms.

Symantec protects you from this threat, identified by the following:

Behavior-based

• SONAR.TCP!gen1

Carbon Black-based

• Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from VMware Carbon Black Cloud reputation service.

Email-based

• Protection is in place for Symantec's email security products. Email Threat Isolation (ETI) technology from Symantec provides an extra layer of protection.

File-based

• Downloader
• Infostealer.Limitail
• Scr.Malcode!gdn32
• Trojan Horse
• Trojan.Gen.MBT
• WS.Malware.1
• WS.Malware.2

Machine Learning-based

• Heur.AdvML.A!300
• Heur.AdvML.B
• Heur.AdvML.B!100
• Heur.AdvML.B!200

Web-based

• Observed domains/IPs are covered under security categories in all WebPulse enabled products