Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

SUMMARY :

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campaign has expanded globally, focusing on malvertising. The infection chain involves a fake booking confirmation link, obfuscated PHP scripts, and payload download mechanisms. LummaStealer samples in this attack are significantly larger, up to 350% increase in size, and use techniques like Binary Padding and Indirect Control Flow for evasion. The campaign's sophistication and global reach indicate a growing threat in the cybercrime landscape.

OPENCTI LABELS :

powershell,social engineering,info-stealer,malvertising,obfuscation,clickfix,lummastealer,emotet,fake captcha,binary padding,booking websites,indirect control flow


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Booking a Threat: Inside LummaStealer's Fake reCAPTCHA