A new wave of the malicious campaign that is spread through web ads and aimed at Windows PC users was discovered by Kaspersky.
While browsing the web, users may unknowingly click on an ad that invisibly covers the entire screen, redirecting them to a fake CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) page or a fake Chrome error message that prompts them to follow steps to download stealers.
Kaspersky’s telemetry recorded over 140 000 encounters with these malicious ads in September and October 2024, and more than 20 000 users were redirected to the fake pages hosting malicious scripts.
This threat was encountered by users in many regions, including LATAM, Africa, the Middle East, and Asia.
A CAPTCHA is a security feature used on websites and in apps to verify whether a user is human or an automated program or bot.
Earlier this year, there were reports of attackers distributing the Lumma stealer using fake CAPTCHAs, primarily targeting gamers. When browsing gaming websites, users were lured into clicking on an ad that covered the entire screen. They were redirected to a fake CAPTCHA page with instructions below the prompt tricking them into downloading the stealer.
When users clicked the I’m not a robot button, an encoded Windows PowerShell command was copied to their PC’s clipboard. They were then prompted to paste it into the terminal box and press Enter, inadvertently downloading and launching Lumma.
The malware searched for cryptocurrency-related files, cookies, and password manager data on the victim’s device. It also visited the webpages of various e-commerce platforms, boosting their view counts, giving the attackers additional financial gain.
In the new wave of the attacks, Kaspersky researchers identified another attack scenario in which, instead of a CAPTCHA, a webpage error message is displayed, styled to look like a service message in the Chrome web browser. The attackers instruct the user “copied the fix” into the terminal window – the fix being the same malicious PowerShell command as described above.
Kaspersky discovered that the new wave of the attack targets not only gamers, but other groups, and is distributed through file-sharing services, web applications, bookmaker portals, adult content pages, anime communities, and other channels. The attackers also use the Amadey Trojan in this wave of the attack – like Lumma, it steals credentials from popular browsers and cryptocurrency wallets, but it can also take screenshots, obtain credentials for remote access services, and download a remote access tool to the victim’s device, allowing the attackers to gain full access.
“Attackers bought some advertising slots, and if a user gets to see this ad and click on it, they are redirected to malicious resources, which is a common attack tactic,” comments Vasily Kolesnikov, security expert at Kaspersky. “The new wave of this campaign involves a significantly expanded distribution network and the introduction of a new attack scenario that reaches more victims.
“Now users can be lured away by either a fake CAPTCHA prompt or a Chrome webpage error message, falling victim to a stealer with new functionalities. Corporate users and individuals should exercise caution and think critically before following any suspicious prompts that they see online.”