Booking a Threat: Inside LummaStealer's Fake reCAPTCHA
March 4, 2025, 9:02 p.m.
Description
A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campaign has expanded globally, focusing on malvertising. The infection chain involves a fake booking confirmation link, obfuscated PHP scripts, and payload download mechanisms. LummaStealer samples in this attack are significantly larger, up to 350% increase in size, and use techniques like Binary Padding and Indirect Control Flow for evasion. The campaign's sophistication and global reach indicate a growing threat in the cybercrime landscape.
External References
Tags
Date
- Created: March 4, 2025, 3:14 p.m.
- Published: March 4, 2025, 3:14 p.m.
- Modified: March 4, 2025, 9:02 p.m.
Indicators
- bfdffcee5951982691af1678f899b39b851b6fd3167d3354c62385fb9b7eac02
- aaf43aab8c08b41682f2b682b05d612651a2b43e235abc06bb5c4fde01bf50be
- 8c408b29cbd76f60ecdf703f737408c5c0ae4d87bfa9c43f3307a36df408122b
- 7b3bd767ff532b3593e28085940646f145b9f32f2ae97dfa7cdd652a6494257d
- 71fe618a360c3d077af47ddb17b35de5300c94d3f46fb173a039c01d8ca6b86c
- 0419a1942af24e21f988249db2c1748509471cca6b5b7fe9305eac817c5c4d41
- 64c9723e61808e95716485b020f24ce3dadfd982e2bf3e94e7ee5e8ced388dc2
- https://booking.procedeed-verific.com/in.php?action=2
- https://booking.procedeed-verific.com/in.php?action=1.
- https://booking.procedeed-verific.com/goo_pdf
- payment-confirmation.82736.store
- booking.procedeed-verific.com
Attack Patterns
- Geodo
- Emotet - S0367
- LummaStealer
- LummaStealer
- T1027.001
- T1045
- T1059.003
- T1059.001
- T1115
- T1057
- T1105
- T1036
Additional Informations
- Hospitality
- Transportation
- Germany
- Philippines