Kaspersky uncovers new stealer campaign via web ads

Kaspersky has identified a new malicious campaign targeting Windows PC users through web advertisements.

While browsing the web, users may inadvertently click on an ad that covertly occupies the entire screen, subsequently directing them to fake CAPTCHA pages or deceptive Chrome error messages. These misleading prompts guide users towards downloading malware known as stealers.

In September and October 2024, Kaspersky's data revealed over 140,000 instances of these malicious ads and more than 20,000 users being redirected to malicious pages with embedded scripts. This threat has been detected across various regions, including Latin America, Africa, the Middle East, and Asia.

CAPTCHA, a security measure to differentiate human users from automated bots, was previously utilised by attackers distributing the 'Lumma' stealer. Primarily targeting gamers, the attack tricked users into clicking ads that covered their screens, leading them to fake CAPTCHA pages with instructions to download malicious files.

This process involved users clicking the "I'm not a robot" button, which secretly copied an encoded Windows PowerShell command onto their clipboard. The prompt compelled users to paste the command into their terminal, inadvertently initiating the download and execution of the Lumma stealer. The malware sought cryptocurrency files, browser cookies, and password manager data on compromised devices. Additionally, it artificially inflated the view counts of several e-commerce websites, financially benefiting the attackers.

Kaspersky has observed a new iteration of this attack, where instead of a CAPTCHA, victims encounter a webpage error message imitating a service message from the Chrome browser. Users are instructed to "copy the fix" into their terminal window, with the fix being an identical malicious PowerShell command as described in the Lumma attack.

The latest attack wave extends beyond gamers, also targeting users through file-sharing services, web applications, betting portals, adult content sites, and anime communities. This campaign employs the Amadey Trojan, which, like Lumma, extracts credentials from browsers and cryptocurrency wallets. However, Amadey can also take screenshots, retrieve credentials for remote access services, and install a remote access tool, affording attackers full control over affected devices.

"Attackers bought some advertising slots, and if a user gets to see this ad and click on it, they are redirected to malicious resources, which is a common attack tactic. The new wave of this campaign involves a significantly expanded distribution network and the introduction of a new attack scenario that reaches more victims. Now users can be lured away by either a fake CAPTCHA prompt or a Chrome webpage error message, falling victim to a stealer with new functionalities. Corporate users and individuals should exercise caution and think critically before following any suspicious prompts that they see online," comments Vasily Kolesnikov, Security Expert at Kaspersky.

To mitigate the risks posed by stealers, businesses are advised to verify if any credentials have been compromised using Kaspersky's dedicated resources. Employers should enhance digital literacy among their staff through comprehensive cybersecurity training tools and utilise robust security solutions such as Kaspersky Endpoint Security for Business to promptly detect malicious activities.

Individuals are encouraged to employ comprehensive security software like Kaspersky Premium to secure their devices and be cautious about opening suspicious web pages or phishing emails. Using a dedicated password manager, such as Kaspersky Password Manager, can also help in securing passwords effectively.