When it comes to malware, high on the list of the most dangerous, and certainly amongst the most prolific, is the infostealer. If you’ve ever wondered what was behind headlines such as 19 billion compromised passwords published online or one million Windows devices infected, that’s infostealer malware. The Lumma stealer family is, almost certainly, the most virulent, deploying thousands of fake “I Am Not A Robot” captcha lures. Google has now issued a warning about the Lummac.V2 infostealer malware threat. Here’s what you need to know…
Google Security Operations Issues New Lumma Stealer Malware Alert
When it comes to infostealer malware, the likes of which come after your passwords, 2FA codes that are meant to add an extra layer of protection against attack, as well as everything from browser information to email databases, there is no bigger threat than Lumma Stealer. Other than, perhaps, the less tongue-friendly Lummac.V2 reworking of the Lummac malware that, itself, is a variant of Lumma Stealer.
A Google Cloud Security report by Praveeth Dsouza, a Google security analyst, and Tommy Dacanay, a senior security analyst of threat hunting at Google, has warned that Lummac.V2 targets everything from browsers and crypto wallets, through password managers and Remote Desktop applications, to email platforms and instant messaging apps.
A part of the Google Security “Finding Malware” series, the report takes a deep technical dive into the emerging threat that Lummac.V2 presents. It is, in fairness, far too technical to go into detail here, so I would heartily recommend those of a more advanced technical bent to go read the whole thing. The TL;DR, however, is that Lummac.V2 steals “credentials, logins, emails, personal and system details, screenshots, and cookies,” according to the report. It accomplishes this by using the ClickFix method of social engineering, which employs fake captcha verification pages to execute malicious commands via the Windows run dialog.
I’ve said it before, and I’m saying it again now: if a captcha asks you to open a Windows run dialog and enter commands, run for the hills. This is not normal behavior, and there’s no reason on earth why a captcha verification should ask you to do such a thing. The Google report is an excellent reminder of how prevalent these threats are, but a little common sense goes a long way in keeping them at arm’s length.