Podcasts
Research Saturday
Ep 365
Research Saturday 2.15.25
Ep 365 | 2.15.25

Bot or not? The fake CAPTCHA trick spreading Lumma malware.

Show Notes
Transcript

Dave Bittner: Hello, everyone. And welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Nati Tal: How did they manage to go to such a large scale in such a short time?

Dave Bittner: That's Nati Tal, head of Guardio Labs. The research we're discussing today is titled "DeceptionAds -- Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising." [ Music ]

Nati Tal: Because something else is going on and we want to understand what and be able to maybe in the future stop those kinds of things from, in the beginning, before they continue to propagate at such scale. So basically, the fake CAPTCHA is something that we were familiar with like a year ago, something like that. It's actually a funny story, because the fake CAPTCHA like we see today used by threat actors and all those bad guys and scammers all around started off as an educational at GitHub for testing and for raising awareness by some of the community, cybersecurity community, some that we know but I won't say names now [laughter]. And eventually, you know, they saw it as a good opportunity to educate. And scammers just took it and said, oh, that's great, let's just fog this record, change the title and that's it. And the real deal behind it is, again, the payload itself, which is Lumma Stealer and some other variance of that. But the interesting part of it, and this is what we also focused on in our research, is mode of the propagation -- how you actually get those fake CAPTCHAs to pop up on users' computers, on the screens in the first place and at such scale. And this is what was interesting for us, because, again, taking this kind of phishing page out of a record and duplicating it, mapping it. But the real deal is to actually recognize this kind of simple phishing page in such scale.

Dave Bittner: Well, before we dig into some of the details of the work that you all did here, for folks who might not be familiar with it, can you give us a little explanation of how exactly this fake CAPTCHA stealer campaign works?

Nati Tal: Well, the phishing page itself -- and this is why we also call it "fake CAPTCHA" -- is basically a CAPTCHA page, like we're already kind of used to seeing when we go to specific websites, just to make sure we are not bots or something like that. And it's kind of our day-to-day when we enter those kinds of websites and are asked to make sure we are human. So sometimes we need to, I don't know, find the traffic lights on those pictures or some other kind of stuff, or just click on a button and set it on and, okay, you're okay, you're not a bot or computer. And because we are so used to it, this is the exact point when scammers are entering and using, when you have your kind of regular stuff you're doing all the time -- searching Google and clicking on the first result you get, or entering a website and asked to make sure you're human, this is where scammers are able to enter and use those kinds of activities. Because you're used to it, it's okay if you get a CAPTCHA, let's go on with it, I want to see the website. And this is exactly what they did, only that instead of just clicking on a bottom or selecting those traffic lights, you're asked to click on some buttons on your computer. Again, it's a bit strange. It's not like you're used to. But for the regular user, it sounds legit. I click on some buttons and then it's all okay. But those buttons are not just any buttons. Specifically targeting Windows systems, if you click on control R, you get the run command. And if you click on control V, you paste a payload they already placed in your clipboard that is actually a one-liner code execution. Which with PowerShell or any other kinds of variance we found lately. So without even being aware, you're executing code on your computer. And what this code does, eventually after downloading a file and running some more commands, but it's all done in the background, and you get yourself hit with a stealer. And all your personal information, accounts, and everything, all is like in a matter of seconds in the hands of the scammers.

Dave Bittner: So you and your colleagues wanted to get to the bottom of this. And I hate to, you know, be a spoiler, perhaps a spoiler alert here, but it all comes down to ad networks, doesn't it [laughter]?

Nati Tal: Well, yeah, eventually. And again, nothing new here, of course. Because we already talked about in the last few years and in other researchers, not only us of course, about abuses of any kind of ad network like Facebook itself even and Google, it's search results, that show up, like fake pages of slack and other, and OBS even. And all of this is not new. But when we started analyzing specifically this campaign, it was quite obscure to see that all of the flow, all of the victims of these specific campaigns come eventually from one single ad network. And we're not used to seeing stuff like that. Basically, threat actors try to propagate from different aspects -- by email, SMSs, search results, just SEO poisoning even. But in this case, it was orchestrated entirely by one ad network that we didn't know before. And when we dug in and tried to analyze the origin of this flow, it's like you're opening a pandora box, of course. You realize that, again, it's one ad network. And if you analyze the entire ad network, you see that around, I don't know specifically, but more than half of the ads that it will eventually pop on your computer are malicious in some way or not entirely legit. And not only that, the publisher websites -- meaning the sites that monetize on the traffic with this ad network -- they also share too much of the characteristics together. Meaning, it sounds and feels like everything is orchestrated from the beginning to the end. Again, it's just me saying that, I don't have the exact.

Dave Bittner: Right.

Nati Tal: But we're working on it. But again, you see so many publisher websites that move the same mostly pirated content and video streaming and movies and of course adult content. And all those websites are practically the same. They look and feel the same. We even found some ripples in GitHub of those websites just forge it, change the specific tag for your convenience, you know, of your specific ad network you're using, and upload it and that's it. You have a site you can monetize your traffic. And all the ad networks, they were practically from the same actor. In this case the actor, not the threat actor, is a company, an ad network, that is eventually legit, ProepllerAds, that are very powerful and they work all around the world and everything is legit and okay. But we see like subcompanies or small companies or different brands that are behind the infrastructure and also the name of ProepllerAds that are eventually used in many cases, I can't say most, I can't say it's intentional, but they are used for propagation of malicious content at the end of it.

Dave Bittner: Yeah. Well, let's walk through it together step by step here. I mean, can you take us through how is this ad network being used, how do things end up in their network and then ultimately on our systems? Can you take us through that journey?

Nati Tal: Well, let's make it from the point of view of a publisher. In the ad networks' lingo, a publisher is a website that wants to monetize on their traffic. So for an example, I am a website that wants to stream movies. Those movies are probably pirated and not Netflix. But I want to monetize on traffic, so I have a host, I have a domain, and I created some kind of website. Or even if I look around, I find some templates already made for movies and streaming. So I upload this website and now I want to monetize on my traffic. So I go to any kind of ad network. I register a user there. And I add my website, my domain, to the system, set it up on my main page or any other page of my website, and basically that's it. From that moment on, this specific ad network, in our case, in this research, it was an ad network named Monetag. So from this moment on, every visitor that visits my website, they get my content, but also have escaped, managed, and created by Monetag running on their browser. So what this script actually does is creating an ad zone -- meaning a specific zone for advertising on my website. I choose if I want it to be a pop-up or a pop-under in their lingo. It used to be pop-under behind your website. It's not working anymore.

Dave Bittner: [Laughter] Yeah. Everybody hated those.

Nati Tal: Yeah. We did see some people trying to, you know, like bring it back on and try other techniques to create those pop-unders. Some made it. But, again, this time, Chrome is fast in fixing those kinds of, you know, bugs or exploitations. So now we have pop-ups. Again, it's not managed as well. And you have pop-ups and you have push notifications and you have fake push notifications that jump on top of your website. But anyways, from that moment on, Monetag is controlling my website and presenting ads as I requested. And in this case, the most hateful, I guess, type of advertising is those pop-ups, that everywhere you click on the page, a new tab is popping up with different content from what you were looking for. And what happens in this specific moment is a new tab is opened. It goes to Monetag's infrastructure or Traffic Distribution System (TDS, like we call it). Which is a list in this case of thousands of domains used specifically to trigger those kinds of advertisements. What they do is try to fingerprint who I am, the visitor, what kind of computer I have, what kind of social networks I use. They even try to load some resources from Facebook and Twitter (X) and stuff like that, just to fingerprint who I am and what would be the perfect advising to show me in their case. And from that moment, when they have their decision, they're moving me on to their advertiser. This Monetag ad network has publishers, the one that created those websites and monetizing on the traffic. And advertisers that show their creatives and any kind of other advertisement and ask for those advertisements to be shown for visitors. And from that moment on, an advertisement is selected and we move on with redirect and other tricks to showing this specific advertisement. In the fake CAPTCHA, specifically in the fake CAPTCHA campaign, it was more complex. Which is also something that we realize that is not there for, I don't know, for statistics or for other kinds of technicalities, but specifically to try to obfuscate or to even make it harder for analysts like us to realize something bad is happening, or where this is exactly happening. So what they did is, instead of using the end-point, you know, the fake CAPTCHA page, they were using some other we call them cloakers -- other services that are again from the ad industry, ad statistics, in this case BeMob, and made the link for the advertisement to be a BeMob created link, cloaking eventually the real URL of the fake CAPTCHA. So from Monetag to BeMob and again the same occasional also they're analyzing who is the visitor and etcetera, etcetera, and then eventually redirecting you to the fake CAPTCHA page. [ Music ]

Dave Bittner: We'll be right back. So one of the things you point out in the research is, this is set up in a way that it makes it harder to point the finger at any one particular organization, right? I think in your research there are like four different organizations who along the way of delivering this ad all have a hand in what's going on here, but they can all kind of point to each other and say, no, it's not us, it's them; they're the responsible party.

Nati Tal: Exactly. We call it the fragmented accountability of the ad network system. And this is exactly what makes it perfect for scammers. Because, again, ad networks, they are legit, everything is okay. The entire ecosystem of the internet, basically, is based on advertisement. You know, if it's free, you are the product, yeah? So what they are using in this case is a long, long chain like we just talked about, you know, from the publisher website to Monetag to the TDS to BeMob to another cloaker, etcetera, and eventually to the host that hosts this landing page, or in this case the fake CAPTCHA, which is also a legit host. In this case, even Oracle Cloud was used and Cloudflare itself in some cases. So this long chain of accountability is what makes it harder for us as security researchers and basically the entire security community to be able to block those kinds of campaigns. We tried it. One of the first things we did at Guardio was to, okay, collect all the data, understand exactly what is happening, who are the actors in this chain, and contact them. It's a good example to see how hard it is to actually get those kinds of campaigns down for good. We contacted Monetag, and after a few days, they answered back. We gave them all the URLs we see and all the data we have, and, indeed, they took it down. They said that they had around 200 different accounts used specifically for this campaign of advertisers. So this was one part of it. Then we get to BeMob that were used or abused in this case as well. They also talked to us quite quickly a few days, like two days later, and took down all their accounts as well. And we did see the campaign going down for almost a week. Which is great, of course. But here comes the important part of it. So we took it down. First of all, it took us around a week of emailing. And it's not that simple to say to a company that, okay, you have a customer that is abusing your system. I know this customer is paying you. You have no obligation for that customer, but you need to take him down. It's hard to say that to a company. And you need to give all the information, the real information. It's not always that simple to get this kind of information. And this is why it took us a few days just to interact with Monetag in this case. But in those few days, millions of people got those CAPTCHA pages, and probably hundred thousands of them at least actually have those stealers installed on their system and got infected. So even though this is like the first part of it -- the part that makes it harder to act quickly -- on the other hand, it was down for a week or something like that. It got back quite quickly on the same ad network again after a few days. And again, we approached them and they took them down, again, a few more accounts, etcetera. But on a parallel path, the threat actors realized, okay, we now understand they got us on Monetag. No worries, we have like 100 other ad networks to use. And they do have those 100 other ad networks like Monetag. And we quickly saw the same campaign, same pages, even same hosts, that we also approached them to take down those kinds of pages. Again, new accounts, new ad networks, and the campaign is right back. Like it took them four days to get back to the same scale it was before.

Dave Bittner: Right. Well, I mean, without calling anyone out specifically here, I suppose there's a lot of money to be made by turning a blind eye to this sort of thing.

Nati Tal: Exactly. And this is also something that we suspect, of course. And again, I don't have the smoking gun just yet. But this is a big industry and a lot of money, lots and lots of money in advertisements. And again, not only in advertisements, but some of those threat actors, there's a reason why they're doing that as well. And because they are persistent and the ad networks are persistent, and they want to continue their business as usual, it's hard to actually report and take down those kinds of threats. And this is also why, okay, we approach them just to see that everything is okay, and it's our first approach to Monetag in this case. We wanted to see who are the people behind this company and that everything is legit and okay. But again, if not Monetag, there are like hundreds of other names I can tell you, even some new very funny names, I have to mention them. The guys from Infoblox, we also cooperated with them on this research. And they are also working on those kinds of TDSs for years now. And they just realized a new ad network, even two ad networks, were created out of the blue. And one is called -- it's for all the Breaking Bad enthusiasts -- los polos ad network and paco loco we call as the TLD of the domain. And great graphics, really great graphics, and amazing websites for those ad networks. But again, you look at those ad networks and you understand that it's just another fog of Monetag stuff and other networks that are part of bigger networks, just to be able to spread around different kinds of networks, different kinds of obligations, accountabilities, just to keep the business rolling and not stopping.

Dave Bittner: I mean, it reminds me -- you know, I think we've all been in that situation where you're using an ad blocker and you'll go to visit a site and it pops up and says, so we see you're using an ad blocker, please disable your ad blocker. But this sort of research I think is a good reminder that ad blockers are security, right? Because so many ads out there are malicious.

Nati Tal: Yes and no [laughter]. And I'll try to answer that. Well, again, also for us, by the way, any use of the internet, if you block all advertisements for all the internet users all around the world, there won't be any internet. So we need to remember that as well. But, saying that, as you can see, many ad networks are being abused. Even Google and Facebook are abused for malicious content in scale. And some, I guess -- again, no smoking gun yet -- they're specifically for those reasons: because the big money is there. But again, ad blocking is important, but it's not only on ads. So you will get this kind of malicious content from any kind of other path -- email, SMS, posts on Facebook and social, and whatever. Also, specifically for Monetag, they have created some quite sophisticated obfuscation for their code that makes it harder, much harder, on ad blockers to be able to block it. And not only that, we mentioned also another phrase, TDS (Traffic Distribution System). Again, it's a list of thousands and thousands of domains. Those are the domains that those ad blockers need to block any kind of request for those domains. But those domains are changed and regenerated on a daily basis. So if you have an ad blocker, it will work on some of the sites a day later. Most of the sites, it won't work on them. They're already using different domains. They know what they're doing in this case.

Dave Bittner: Right.

Nati Tal: So you need to have also blocking those kinds of TDSs. Also block the actual malicious content. And most importantly -- and this is what is our like holy grail here at Guardio -- not only block a content specific, because they can change it and make many variants like a few minutes later and you won't block it, don't fingerprint malicious content. It won't work. And also, don't fingerprint domains, because domains change all the time. What we do is mostly look at the flow -- where you get this information from, where you get this pop-up from, what you did before, what you're doing after. And because we know how threat actors work and where they want to get their victims and pinpoint the specific area, well, it's the best place to place this kind of fake CAPTCHA, for example. We look at the flow and then we can block these kinds of anomalies even without knowing what is the malicious content at the end. [ Music ]

Dave Bittner: Our thanks to Nati Tal, from Guardio Labs, for joining us. The research is titled "DeceptionAds -- Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising." We'll have a link in the Show Notes. That is Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to CyberWire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tré Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.