Malicious Ads Distribute Lumma Infostealer via Fake CAPTCHA Pages

A large-scale malvertising campaign has been discovered, distributing the Lumma Stealer malware through deceptive CAPTCHA verification pages. These fake pages trick users into executing PowerShell commands under the guise of verifying their human identity.

This campaign leveraged the Monetag ad network, generating over a million ad impressions daily across 3,000 websites. Dubbed “DeceptionAds” by cybersecurity researchers at Guardio Labs and Infoblox, the operation is believed to be orchestrated by a threat actor known as “Vane Viper.”

An Evolution of ClickFix Attacks

DeceptionAds represents an evolution of the “ClickFix” attack strategy, where victims are manipulated into running malicious PowerShell commands on their devices, leading to infection. While previous ClickFix campaigns relied on phishing emails, pirate software sites, and malicious social media pages, this operation utilizes large-scale advertising through legitimate ad networks to reach unsuspecting users.

Guardio Labs researchers found that attackers use Monetag’s ad network to serve pop-up ads promoting fake offers, downloads, or services. These ads primarily appear on pirate streaming and software platforms, increasing their reach among users likely to fall for such tactics.

How the Attack Works

1. Ad Placement: Malicious ads are placed on Monetag, targeting users browsing pirate and streaming platforms.
2. Cloaking via BeMob: If a user clicks on an ad, obfuscated code verifies if they are a real person. If validated, they are redirected to a fake CAPTCHA page using BeMob, a legitimate service used for ad tracking but exploited in this attack for evasion purposes.
3. Execution of Malicious Code: The fake CAPTCHA page contains a JavaScript snippet that secretly copies a malicious PowerShell command to the user’s clipboard. The page then instructs the victim to paste and execute this command in the Windows Run dialog, unknowingly launching the Lumma Stealer malware.

Impact of Lumma Stealer

Lumma Stealer is a sophisticated information-stealing malware capable of extracting:

• Cookies, credentials, and passwords from popular browsers like Chrome, Edge, and Firefox.
• Cryptocurrency wallets, private keys, and sensitive text files (e.g., seed.txt, pass.txt, wallet.txt, etc.).
• Browsing history and credit card information.

The stolen data is collected, archived, and transmitted back to the attacker, who may use it for further cyberattacks or sell it on dark web marketplaces.

Response from Security Firms

Guardio Labs promptly reported the abuse to both Monetag and BeMob. Monetag responded by shutting down 200 malicious accounts within eight days, while BeMob took action to stop the campaign within four days. However, the attackers attempted to relaunch the campaign through a different ad network on December 11, highlighting their persistence.

The Growing Threat of Infostealers

Infostealer campaigns have surged globally, posing severe risks to individuals and organizations. These threats can lead to financial fraud, privacy breaches, and even full-scale ransomware attacks. For instance, in May, credentials stolen by infostealers were used in the massive Snowflake account breaches, affecting major companies like Ticketmaster, AT&T, and Advance Auto Parts.

How to Stay Safe

To protect yourself from infostealer malware, follow these precautions:

• Never execute commands from websites: Avoid pasting or running any commands prompted by websites, especially those disguised as CAPTCHA solutions or fixes.
• Avoid pirated software and illegal streaming sites: These platforms are notorious for hosting malicious ads, making users more susceptible to malware infections.
• Use reputable security tools: Enable browser security settings, install ad blockers, and keep antivirus software up to date to detect and block malicious scripts.

As cybercriminals refine their tactics, it is crucial to remain vigilant against evolving threats like DeceptionAds. Awareness and proactive security measures can significantly reduce the risk of falling victim to such attacks.