Booking a Threat: Inside LummaStealer's Fake reCAPTCHA
Essential information
- Published
- 04/03/2025 15:14
- Modified
- 04/03/2025 21:02
- Tags
- 2025-03-04 binary padding booking websites clickfix emotet fake captcha indirect control flow info-stealer lummastealer malvertising obfuscation powershell social engineering
- Related entities
- 12 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 malware, 4 others
Description
A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campaign has expanded globally, focusing on malvertising. The infection chain involves a fake booking confirmation link, obfuscated PHP scripts, and payload download mechanisms. LummaStealer samples in this attack are significantly larger, up to 350% increase in size, and use techniques like Binary Padding and Indirect Control Flow for evasion. The campaign's sophistication and global reach indicate a growing threat in the cybercrime landscape.
External references
- https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha
- https://feeds.feedblitz.com/~/914176745/0/gdatasecurityblog-en~Booking-a-Threat-Inside-LummaStealers-Fake-reCAPTCHA
- https://www.gdatasoftware.com/fileadmin/_processed_/d/7/G_DATA_Blog_LummaStealer_Title_59f6fc89c3.jpg
- https://otx.alienvault.com/pulse/67c718b9605e1b9b0784f4a5