Cybersecurity researchers have exposed a popular phishing marketing campaign that makes use of pretend CAPTCHA photographs shared by way of PDF paperwork hosted on Webflow’s content material supply community (CDN) to ship the Lumma stealer malware.
Netskope Risk Labs mentioned it came upon 260 distinctive domain names internet hosting 5,000 phishing PDF recordsdata that redirect sufferers to malicious web pages.
“The attacker makes use of search engine marketing to trick sufferers into visiting the pages by means of clicking on malicious seek engine effects,” safety researcher Jan Michael Alcantara mentioned in a record shared with The Hacker Information.
“Whilst maximum phishing pages focal point on stealing bank card data, some PDF recordsdata include pretend CAPTCHAs that trick sufferers into executing malicious PowerShell instructions, in the end resulting in the Lumma Stealer malware.”
The phishing marketing campaign is estimated to have affected greater than 1,150 organizations and greater than 7,000 customers since the second one 1/2 of 2024, with the assaults basically singling out sufferers in North The us, Asia, and Southern Europe throughout generation, monetary products and services, and production sectors.
Of the 260 domain names recognized to host the pretend PDFs, a majority of them are associated with Webflow, adopted by means of the ones associated with GoDaddy, Strikingly, Wix, and Fastly.
Attackers have additionally been seen importing one of the crucial PDF recordsdata to professional on-line libraries and PDF repositories like PDFCOFFEE, PDF4PRO, PDFBean, and Web Archive, such that customers looking for PDF paperwork on search engines like google and yahoo are directed to them.
The PDFs include fraudulent CAPTCHA photographs that act as a conduit to scouse borrow bank card data. Then again, the ones distributing Lumma Stealer include photographs to obtain the record that, when clicked, takes the sufferer to a malicious web site.
For its phase, the web site masquerades as a faux CAPTCHA verification web page that employs the ClickFix solution to misinform the sufferer into operating an MSHTA command that executes the stealer malware by way of a PowerShell script.
In contemporary weeks, Lumma Stealer has additionally been disguised as Roblox video games and a cracked model of the Overall Commander instrument for Home windows, highlighting the myriad supply mechanisms followed by means of more than a few danger actors. Customers are redirected to those web pages via YouTube movies most probably uploaded from up to now compromised accounts.
“Malicious hyperlinks and inflamed recordsdata are ceaselessly disguised in [YouTube videos, comments, or descriptions,” Silent Push said. “Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.”
The cybersecurity company further found that Lumma Stealer logs are being shared for free on a relatively new hacking forum called Leaky[.]professional that went operational in past due December 2024.
Lumma Stealer is a fully-featured crimeware answer that is presented on the market beneath the malware-as-a-service (MaaS) style, giving a option to harvest quite a lot of data from compromised Home windows hosts. In early 2024, the malware operators introduced an integration with a Golang-based proxy malware named GhostSocks.
“The addition of a SOCKS5 backconnect function to current Lumma infections, or any malware for that subject, is extremely profitable for danger actors,” Infrawatch mentioned.
“Through leveraging sufferers’ web connections, attackers can bypass geographic restrictions and IP-based integrity tests, in particular the ones enforced by means of monetary establishments and different high-value goals. This capacity considerably will increase the likelihood of luck for unauthorized get right of entry to makes an attempt the usage of credentials harvested by way of infostealer logs, additional bettering the post-exploitation cost of Lumma infections.”
The disclosures come as stealer malware like Vidar and Atomic macOS Stealer (AMOS) are being allotted the usage of the ClickFix means by way of lures for the DeepSeek synthetic intelligence (AI) chatbot, in step with Zscaler ThreatLabz and eSentire.
Phishing assaults have additionally been noticed abusing a JavaScript obfuscation means that makes use of invisible Unicode characters to constitute binary values, a method that used to be first documented in October 2024.
The means involves applying Unicode filler characters, particularly Hangul half-width (U+FFA0) and Hangul full-width (U+3164), to constitute the binary values 0 and 1, respectively, and changing each and every ASCII personality within the JavaScript payload to their Hangul equivalents.
“The assaults had been extremely customized, together with private data, and the preliminary JavaScript would attempt to invoke a debugger breakpoint if it had been being analyzed, stumble on a extend, after which abort the assault by means of redirecting to a benign web page,” Juniper Risk Labs mentioned.