marry 01.11.2024, 13:30 PM
Kaspersky warns of a new campaign that delivers malware via a fake CAPTCHA test commonly used on websites to distinguish humans from bots.
Attackers are essentially exploiting the user’s instinct to quickly go through the verification process. Traps for victims of this campaign are set in online ads, on porn sites, file sharing services, betting platforms, anime websites, and in web applications that monetize traffic.
An earlier version of this scam primarily targeted players whose devices were infected with information-stealing malware on websites that offered cracked games.
This new campaign, tracked from mid-September to October, shows an expansion of the distribution network, possibly with the aim of reaching a wider range of victims, Kaspersky researchers say.
To infect users’ devices with the Lumma and Amadey malware, hackers redirect victims to what appears to be a simple CAPTCHA challenge. Clicking the familiar “I’m not a robot” button, however, copies the malicious code, while completing other seemingly normal verification steps runs the code.
In some attacks, the script downloads and runs an archive containing the Lumma malware, which has been sold as malware-as-a-service on Russian hacker forums since August 2022.
Once installed on a victim’s device, Lumma looks for files associated with cryptocurrency wallets and steals them. Attackers try to extract cookies and other login data from browsers, including data from password managers.
After exfiltrating the valuable data, the malware visits the pages of various online stores. “The purpose is likely to generate revenue for its operators by increasing views of these websites, similar to adware,” the researchers said.
While Lumma was previously used in the so-called fake CAPTCHA attacks, Amadey is used in this way for the first time. Amadey is a botnet that first appeared around 2018 and currently sells for around $500 on Russian hacking forums.
Amadey downloads several password-stealing modules from popular browsers and detects cryptocurrency wallet addresses in the clipboard and replaces them with addresses controlled by the attackers. One module can also take screenshots and, in some cases, download the Remcos remote access tool to the victim’s device, giving attackers full control of the device.
According to Kaspersky researchers, users in Brazil, Spain, Italy and Russia are among the most affected by this campaign, and it is not yet known which hacker group is behind it.
Source: www.informacija.rs
