A study by cybersecurity company DNSFilter shows that bad actors use fake Captcha prompts to distribute Filless Lumma Stealer malware that can steal Crypto Wallet qualifications.
This prompt, first detected on the Greek bank’s website, will ask Windows users to copy and paste into the (copy) dialog box and then press Enter.
DNSFilter reports that company clients interacted with fake Captcha 23 times in three days, with 17% of those who encountered the prompt completing the on-screen step and attempting to deliver the malware.
The malware in question is Lumma Stealer, which searches for credentials and other sensitive data on infected devices, according to Mikey Pruitt, global partner evangelist at DNSFilter.
“Lumma Stealer sweeps the system as something that can instantly monetize the system. It stored the passwords and cookies stored by the browser, 2FA tokens, cryptocurrency wallet data, remote access credentials, and even the password manager vault,” he said. Decryption.
Pruitt makes it clear that bad actors use data lifted for various purposes, including accessing identity theft, “online accounts for financial theft or fraudulent transactions,” and accessing cryptocurrency wallets, all boiling down to financial gain.
According to Pruitt, Lumma Stealer has a wide reach and can be found on a variety of websites.
“We can’t talk about how much we’ve lost through this one measure, but this threat can exist on non-malicious sites,” he explained. “This makes it extremely dangerous and important to be aware of when things seem suspicious.”
Malware as a Service
Lumma Stealer is not only an example of malware, but also malware as a service (MAAS). Security companies report being responsible for the rise in malware attacks in recent years.
According to ESET malware analyst Jakub Tomanek, the operator behind Lumma Stealer develops features, improves its ability to avoid malware detection, and registers domains that host malware.
“Their main goal is to maintain service operation and profitability and collect monthly subscription fees from affiliates. This is to effectively run Lumma Stealer as a sustainable cybercrime business,” he said. Decryption.
MAAs such as Lumma Stealer are stubbornly popular as cybercriminals are spared the need to develop malware and underlying infrastructure.
In May, the US Department of Justice seized five internet domains that bad actors use to operate Lumma Stealer Malware, and Microsoft personally deleted 2,300 similar domains.
However, reports show that Lumma Stealer has reappeared since May, and a July analysis of Trend Micro shows that “the number of target accounts has steadily returned to normal levels.”
Part of the appeal of Lumma Stealer is that subscriptions, which are often monthly, are cheaper than potential profits.
“Available on the Dark Web Forum for just $250, this sophisticated information steeler specifically targets what’s most important to Cyber Criminal – cryptocurrency wallets, browser storage credentials, and two-factor authentication system.”
Jones said Decryption The size of Lumma Stealer Exploits is “surprising” and witnessed an estimated loss of $36.5 million and 400,000 Windows devices infected in 2023 in two months.
“But the real concern isn’t just numbers, it’s a multi-tier monetization strategy,” he said. “Lumma not only steals data, but also harvests browser history, system information, and even any desk configuration file before removing browser history, system information, and everything to the Russian Control Command Center.”
The increased threat to Lumma Stealer is the fact that stolen data is often directly fed to “traffic teams” specializing in theft and resale of qualifications.
“This creates a devastating cascade effect where a single infection leads to bank account hijacking, cryptocurrency theft and identity fraud that continues after an initial violation,” Jones adds.
Darktrace proposes a centre for Russian origin or Lumma-related exploits, but DNSFilter points out that bad actors using malware services may be run from multiple regions.
Mikey Pruitt said, “This malicious activity is commonplace to involve individuals or groups from multiple countries, particularly through the use of international hosting providers and malware distribution platforms.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
