Lumma Stealer Spreads via Fake CAPTCHA Ads

By Ava McKinneyOnline Safety

Lumma Stealer Distributed Through Fake CAPTCHA Campaigns

Researchers at Guardio Labs have reported a large-scale campaign spreading the Lumma stealer malware using fake CAPTCHA challenges. In this campaign, users are prompted to run PowerShell commands to prove they are not bots.

This operation, dubbed DeceptionAds, involves cybercriminals leveraging the Monetag ad network to display over a million ads daily across 3,000 websites. The activity is believed to be linked to the hacker group Vane Viper.

Essentially, DeceptionAds is a new and more dangerous variant of ClickFix attacks, where victims are tricked into manually executing malicious PowerShell commands, thereby infecting their own systems with malware.

How the Attack Works

This campaign stands out because it uses mass advertising on a legitimate ad network to redirect unsuspecting users to pages with fake CAPTCHA challenges. The hackers use Monetag to serve pop-up ads for fake offers, downloads, and services, typically targeting users of pirate streaming platforms or sites offering pirated software.

If a victim clicks on one of these ads, obfuscated code checks if the user is a real person and then redirects them to a fake CAPTCHA page, using the BeMob service for masking. While BeMob is usually used for tracking ad performance, in this case, it helps the attackers evade detection.

Attack Flow

According to the researchers, “By providing Monetag with a harmless BeMob URL (instead of a direct link to the fake CAPTCHA page), the attackers leveraged BeMob’s reputation, making it harder for Monetag to moderate the content.”

The fake CAPTCHA page contains a JavaScript snippet that secretly copies a malicious one-line PowerShell command to the user’s clipboard. The page then instructs the victim to run this command via Windows Run.

Executing this command downloads and runs the Lumma stealer on the user’s device. Lumma is capable of stealing cookies, credentials, passwords, credit card data, and browsing history from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.

Scale and Response

Guardio Labs reports that the abuse of Monetag and BeMob was extensive. For example, Monetag reported removing 200 malicious accounts. Although this initially stopped the malicious activity, by December 11, researchers observed the campaign resuming, with hackers now attempting to use a different ad network.

It’s worth noting that back in October, Kaspersky Lab experts also warned about the use of fake CAPTCHA challenges to spread infostealers.

Leave a Reply