Behind the CAPTCHA: A Clever Gateway of Malware

    Monday, September 23, 2024 In: Threat Research Print

    Date: 09/23/2024

    Severity: High

    Summary

    McAfee Labs recently detected an infection chain utilizing fake CAPTCHA pages to spread malware, specifically Lumma Stealer. We're monitoring a campaign that targets multiple countries. The map below illustrates the geolocation of devices accessing these fraudulent CAPTCHA URLs, showcasing the global reach of the attack. We identified two infection vectors that lead users to these fake pages: one through cracked game download links and the other via phishing emails.

    Indicators of Compromise (IOC) List

    Domains\URLs

    Ofsetvideofre.click/

    Newvideozones.click/veri.html

    Clickthistogo.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59

    Downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c

    Betterdirectit.com/

    Betterdirectit.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67

    heroic-genie-2b372e.netlify.app/please-verify-z.html

    Downloadstep.com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4

    Downloadsbeta.com/go/08a742f2-0a36-4a00-a979-885700e3028c

    Streamingsplays.com/go/6754805d-41c5-46b7-929f-6655b02fce2c

    Streamingsplays.com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f

    Streamingszone.com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ

    Streamingsplays.com/go/1c406539-b787-4493-a61b-f4ea31ffbd56

    github-scanner.shop/

    github-scanner.com/

    botcheck.b-cdn.net/captcha-verify-v7.html

    Rungamepc.ru/?load=Black-Myth-Wukong-crack

    game02-com.ru/?load=Cities-Skylines-2-Crack-Setup

    Rungamepc.ru/?load=Dragons-Dogma-2-Crack

    Rungamepc.ru/?load=Dying-Light-2-Crack

    Rungamepc.ru/?load=Monster-Hunter-Rise-Crack

    Runkit.com/wukong/black-myth-wukong-crack-pc

    Runkit.com/skylinespc/cities-skylines-ii-crack-pc-full-setup

    Runkit.com/masterposte/dying-light-2-crack-on-pc-denuvo-fix

    Runkit.com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone

    Groups.google.com/g/hogwarts-legacy-crack-empress

    By.tribuna.com/extreme/blogs/3143511-black-myth-wukong-full-unlock/

    Hash

    b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624

cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54

632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c

19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a

d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207

bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55

fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs

    userdomainname like "Ofsetvideofre.click/" or url like "Ofsetvideofre.click/" or userdomainname like "Newvideozones.click/veri.html" or url like "Newvideozones.click/veri.html" or userdomainname like "Clickthistogo.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59" or url like "Clickthistogo.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59" or userdomainname like "Downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c" or url like "Downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c" or userdomainname like "Betterdirectit.com/" or url like "Betterdirectit.com/" or userdomainname like "Betterdirectit.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67" or url like "Betterdirectit.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67" or userdomainname like "heroic-genie-2b372e.netlify.app/please-verify-z.html" or url like "heroic-genie-2b372e.netlify.app/please-verify-z.html" or userdomainname like "Downloadstep.com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4" or url like "Downloadstep.com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4" or userdomainname like "Downloadsbeta.com/go/08a742f2-0a36-4a00-a979-885700e3028c" or url like "Downloadsbeta.com/go/08a742f2-0a36-4a00-a979-885700e3028c" or userdomainname like "Streamingsplays.com/go/6754805d-41c5-46b7-929f-6655b02fce2c" or url like "Streamingsplays.com/go/6754805d-41c5-46b7-929f-6655b02fce2c" or userdomainname like "Streamingsplays.com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f" or url like "Streamingsplays.com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f" or userdomainname like "Streamingszone.com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ" or url like "Streamingszone.com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ" or userdomainname like "Streamingsplays.com/go/1c406539-b787-4493-a61b-f4ea31ffbd56" or url like "Streamingsplays.com/go/1c406539-b787-4493-a61b-f4ea31ffbd56" or userdomainname like "github-scanner.shop/" or url like "github-scanner.shop/" or userdomainname like "github-scanner.com/" or url like "github-scanner.com/" or userdomainname like "botcheck.b-cdn.net/captcha-verify-v7.html" or url like "botcheck.b-cdn.net/captcha-verify-v7.html" or userdomainname like "Rungamepc.ru/?load=Black-Myth-Wukong-crack" or url like "Rungamepc.ru/?load=Black-Myth-Wukong-crack" or userdomainname like "game02-com.ru/?load=Cities-Skylines-2-Crack-Setup" or url like "game02-com.ru/?load=Cities-Skylines-2-Crack-Setup" or userdomainname like "Rungamepc.ru/?load=Dragons-Dogma-2-Crack" or url like "Rungamepc.ru/?load=Dragons-Dogma-2-Crack" or userdomainname like "Rungamepc.ru/?load=Dying-Light-2-Crack" or url like "Rungamepc.ru/?load=Dying-Light-2-Crack" or userdomainname like "Rungamepc.ru/?load=Monster-Hunter-Rise-Crack" or url like "Rungamepc.ru/?load=Monster-Hunter-Rise-Crack" or userdomainname like "Runkit.com/wukong/black-myth-wukong-crack-pc" or url like "Runkit.com/wukong/black-myth-wukong-crack-pc" or userdomainname like "Runkit.com/skylinespc/cities-skylines-ii-crack-pc-full-setup" or url like "Runkit.com/skylinespc/cities-skylines-ii-crack-pc-full-setup" or userdomainname like "Runkit.com/masterposte/dying-light-2-crack-on-pc-denuvo-fix" or url like "Runkit.com/masterposte/dying-light-2-crack-on-pc-denuvo-fix" or userdomainname like "Runkit.com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone" or url like "Runkit.com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone" or userdomainname like "Groups.google.com/g/hogwarts-legacy-crack-empress" or url like "Groups.google.com/g/hogwarts-legacy-crack-empress" or userdomainname like "By.tribuna.com/extreme/blogs/3143511-black-myth-wukong-full-unlock/" or url like "By.tribuna.com/extreme/blogs/3143511-black-myth-wukong-full-unlock/"

    Hash

    sha256hash IN ("19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a","632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c","fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511","cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54","d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207","b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624","bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55")

    Reference:

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/ 


    Tags

    MalwarePhishingLumma Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.