Campaigns
Fake CAPTCHAs Unleash Lumma and Amadey Malware

Fake CAPTCHAs Unleash Lumma and Amadey Malware

LummaMalwareAmadeyTrojanFakeCAPTCHARemoteAccessMalware
The Lumma and Amadey malware campaign deploys fake CAPTCHA screens to deceive users into unwittingly downloading malicious software. When engaged, this malware enables covert data theft, system breaches, and remote access, showcasing a clever evasion tactic that slips past standard security measures.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1557 - Man-in-the-Middle


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.[14]

DS0029

Network Traffic

Network Traffic Content

Monitor network traffic for anomalies associated with known AiTM behavior.



Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as remote logins or process creation events.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.


T1053 - Scheduled Task/Job


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task scheduling commands being executed with unusual parameters.

index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%"))

DS0032

Container

Container Creation

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new container creation events with unusual parameters.

index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")

DS0022

File

File Creation

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new task files with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))



File Modification

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task file modifications with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Note: Below is the relevant Events and SourcesWindows:

  • Sysmon Event ID 1: Process creation, particularly for schtasks.exe, at.exe, Taskeng.exe, crontab, etc.

  • Windows Event Log EventCode 4688: Process creation that might involve task scheduling.

  • Windows Task Scheduler Logs: Task creation, modification, or deletion.

Linux/macOS:

  • Auditd logs: Monitoring for cron job creation or modifications.

  • Syslog: Logs related to cron jobs or scheduled tasks.

  • File integrity monitoring (FIM): For changes to /etc/cron, /var/spool/cron/, or user-specific cron jobs.

Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments.

Analytic 1 - Look for task execution with unusual parameters.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers")

DS0003

Scheduled Job

Scheduled Job Creation

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.

Analytic 1 - Scheduled Task Execution

source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe"


T1558 - Steal or Forge Kerberos Tickets


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Credential Request

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.[6][7][8]Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[9] Monitor for indications of Pass the Ticket being used to move laterally.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

DS0022

File

File Access

Monitor for unexpected processes interacting with lsass.exe.[10] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.

DS0028

Logon Session

Logon Session Metadata

Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[11] [5]


T1555 - Credentials from Password Stores


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Analytic 1 - Commands indicating credential searches.

(index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))

DS0022

File

File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized access to files containing credentials.

index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa")))

DS0009

Process

OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.



Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized process access indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache"))



Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

Analytic 1 - New processes with parameters indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))


T1219 - Remote Access Software


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

Process Creation

Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.


T1185 - Browser Session Hijacking


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

DS0009

Process

Process Access

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.



Process Modification

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.


T1087 - Account Discovery



ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[10] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1059 - Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Analytic 1 - Suspicious script execution

(sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

Analytic 1 - Look for unusual module loads associated with scripting languages.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll")

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

Analytic 1 - Look for unusual command and scripting process creation.

(sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash)



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[56]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for attempts to enable scripts on the system.

index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes"


T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.


T1497 - Virtualization/Sandbox Evasion


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

DS0009

Process

OS API Execution

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.



Process Creation

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.


T1056 - Input Capture


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes.

Analytic 1 - Unexpected file modifications.

index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9]



Process Creation

Monitor for newly executed processes conducting malicious activity



Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1105 - Ingress Tool Transfer


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.



Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.



Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries4

BR (526)
ES (463)
IT (288)
RU (738)