- The LG G4 OLED was the best TV I saw last year - and it's up to $2,000 off
- Evolving Together: The Next Chapter in Our Partner Journey
- Amazon is selling the Apple Watch Series 9 for $280 right now - its lowest price ever
- Modernize Your Industrial Infrastructure for Cybersecurity and AI Readiness with Cisco Validated Designs
- Is a VPN-ready router secretly the best Wi-Fi upgrade? I tested one and here's my advice
Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
HP’s latest Threat Insights Report has revealed a surge in malicious CAPTCHA campaigns, where users are tricked into running PowerShell commands that install the Lumma Stealer remote access trojan (RAT).
The campaigns show that attackers are capitalizing on growing click tolerance, whereby users are now accustomed to jumping through hoops to authenticate themselves online, according to HP.
Users were directed to attacker-controlled sites and prompted to complete a range of fake authentication challenges. This resulted in them running a malicious PowerShell command on their PC that ultimately installed the Lumma Stealer RAT.
Dr Ian Pratt, Global Head of Security for Personal Systems at HP, said, “Multi-step authentication is now the norm, which is increasing our ‘click tolerance.’ The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training.”
“Organizations are in an arms race with attackers – one that AI will only accelerate. To combat increasingly unpredictable threats, organizations should focus on shrinking their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected,” Pratt added.
The firm’s report found that at least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
It also noted that executables were the most popular malware delivery type (43%), followed by archive files (32%).
RATs Distributed in Multiple Campaigns
A second campaign identified by HP saw attackers spreading an open source RAT, XenoRAT, with advanced surveillance features such as microphone and webcam capture.
Using social engineering techniques to convince users to enable macros in Word and Excel documents, attackers could control devices, exfiltrate data and log keystrokes – showing that Word and Excel still present a risk for malware deployment.
HP also found threat actors leveraging Scalable Vector Graphics (SVG) images to deliver malicious JavaScript, bypassing traditional detection mechanisms.
By default, web browsers render these images, triggering the embedded code. This technique facilitates the deployment of seven payloads, including RATs and infostealers, offering attackers redundancy and diverse monetization avenues.
As part of the infection chain, the attackers also used obfuscated Python scripts to install the malware. Python’s popularity – which is being further boosted by rising interest in AI and data science – means it is an increasingly attractive language for attackers to write malware, as its interpreter is widely installed.
Data for the Threat Insights Report was gathered from consenting HP Wolf Security customers from October-December 2024.
Image credit: lilgrapher / Shutterstock.com
