Behind the CAPTCHA: A Clever Gateway of Malware

Sept. 24, 2024, 2:38 p.m.

Description

A sophisticated infection chain dubbed ClickFix has been observed using fake CAPTCHA pages to distribute Lumma Stealer malware. The campaign targets multiple countries through two main vectors: cracked game download URLs and phishing emails impersonating GitHub. Users are tricked into executing malicious scripts copied to their clipboards, leading to malware installation. The attack employs multi-layered encryption and leverages mshta to bypass detection. Mitigation strategies include user education, robust email filtering, and keeping systems updated. The global reach and deceptive tactics highlight the evolving nature of cyber threats.

External References

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
https://otx.alienvault.com/pulse/66f2c7a934d09e9fdfb53f29
Tags
2024-09-24

Date

  • Created: Sept. 24, 2024, 2:07 p.m.
  • Published: Sept. 24, 2024, 2:07 p.m.
  • Modified: Sept. 24, 2024, 2:38 p.m.

Indicators

  • bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55
  • fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511
  • 632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c
  • 19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a
  • d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
  • cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54
  • b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624
Download all indicators here!

Attack Patterns

  • Lumma Stealer
  • AsyncRAT
  • T1048
  • T1074
  • T1553.005
  • T1059.001
  • T1567
  • T1012
  • T1005
  • T1082
  • T1083
  • T1204
  • T1140
  • T1132
  • T1027
  • T1566