Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

The infection chain starts when a target victim visits a website such as this URL: hxxps://payment-confirmation.82736[.]store/pgg46, the initial attack vector was not successfully extracted during the analysis period therefore we speculated that the source was probably a phishing email. This link redirects to hxxps://booking[.]procedeed-verific[.]com/goo_pdf that contains a blurred document from booking.com. Looking at the link, it might not appear suspicious to an average user, especially with the 'https' in the URL, which could lead the victim to believe the site is safe to visit. Now what is interesting in this webpage is before being able to view the booking document, there is a captcha that requires the user to click the “I’m not a robot” checkbox. Normally this would only prompt some image verification techniques (e.g. “Select all the images with bicycles in them”) to prove that the website is being used by a human user and not by some automated mechanism.

In this case, there are different verification steps in this CAPTCHA procedure. The user is required to open their Run window and then paste a command that was copied into their clipboard. This is an example of ClickFix, an emerging unique social engineering technique that involves displaying fake error messages in dialogue boxes to deceive users into executing malicious commands on their own systems. This technique can be delivered through compromised and fake websites, documents or files posing as legitimate software.

During our investigation, the fake booking webpage displayed two different PDFs that show booking confirmation details that are modeled after the platforms of booking.com and hrs.com

Viewing the page source of this webpage shows that there is a JS script that loads a command from a PHP script from another URL.

The URL that contains an obfuscated PHP script that is encrypted with ROT13 encryption.
After decryption, we can now see that it shows the JS script that copies a Base64 command into the victim’s clipboard. It implemented the deprecated document.execCommand(“Copy”) which might be a part of a new phishing kit for information stealers.

Deobfuscating the Base64 code in the unsecuredCopyToClipboard function will present a command that is to be pasted in the Windows Run service as suggested by the ClickFix instructions to the user. This is a command that will execute a PowerShell script that is encoded in Base64. The deobfuscated PowerShell command shows that it will invoke a web request from the URL hxxps://booking[.]procedeed-verific[.]com/in[.]php?action=1. This webpage stores another PowerShell script that will download a file from hxxps://booking[.]procedeed-verific[.]com/in[.]php?action=2 in the Temp directory and execute it using the “Start-Process” command.

We’ve continuously monitored the download link for possible changes and noticed that the LummaStealer payload file changes over time. What’s common for all the samples we have collected is that they are significantly larger than other versions by up to 350% (from 3MB to 9MB) indicating that there’s a possibility of more complex payloads having more capability, evasion and encryption techniques.  In this case, the samples collected used Binary Padding, a technique where malware authors add junk data to the end, start or in between data sections of the malicious file. This will cause an analysis to take longer, or trigger file size limitations on security tools – in order to minimize impact on the users, files are only checked up to a certain size by any browser / web protection mechanism. Larger files therefore result in longer response times for signature-based antivirus detections.

Upon reverse engineering all the samples we’ve collected, these samples keep using the same method of obfuscation as other LummaStealer samples found in the wild. This method is calledIndirect Control Flow which is an obfuscation technique where malware avoids direct jumps or calls by dynamically calculating target addresses at runtime, making analysis harder. The way it does this is by using Dispatcher Blocks which are specialized code regions that control execution by selecting the next instruction or function dynamically.

Here is a snippet of a Dispatcher Blocks found inside the sample (SHA256: 7b3bd767ff532b3593e28085940646f145b9f32f2ae97dfa7cdd652a6494257d )

We tried hunting for other websites which have the same approach in delivering LummaStealer. We started our search with the redirect URL (hxxps://payment-confirmation.82736[.]store/pgg46) to see if it has records of redirection to other URLs with the same behavior. While we didn’t find any other active URLs, what we found out is that its host server also hosts several websites which have at least one phishing detection from other vendors. Below is an example of a phishing website that is hosted on the same server that poses as booking.com and steals PayPal credentials.

There are multiple subdomains sourced from VirusTotal that can be correlated to our original fake booking link. These related links show that there are multiple subdomains that replicate the same behavior and contain the same ClickFix technique.