Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

SUMMARY :

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscated HTA file, which in turn runs an encrypted PowerShell script. The final payload is LummaC2, capable of stealing browser data and cryptocurrency information. The malware also employs a ClipBanker module to monitor and manipulate clipboard content, specifically targeting cryptocurrency wallet addresses. This distribution method is primarily found on crack program download pages and in phishing emails, emphasizing the need for caution when interacting with unfamiliar sources.

OPENCTI LABELS :

powershell,phishing,infostealer,obfuscation,cryptocurrency,lummac2,captcha,clipbanker


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page