Behind the CAPTCHA: A Clever Gateway of Malware – Source:www.mcafee.com

December 2, 2024
Post Author / Publisher: Mcafee Security

CISO2CISO post categories: 1 - Cyber Security News Post, Cyber Security News, Cyber Security News, McAfee Antivirus - Securing Tomorrow, McAfee Antivirus | Securing Tomorrow RSS Feed, McAfee Labs, rss-feed-post-generator-echo, rss-feeds-Autogenerated

Rate this post

Source: www.mcafee.com – Author: McAfee Labs.

Authored by Yashvi Shah and Aayush Tyagi

Executive summary

McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.

Figure 1: Prevalence on the field

We identified two infection vectors leading users to these fake CAPTCHA pages: one via cracked game download URLs, and the other through phishing emails. GitHub users have been targeted by phishing emails prompting them to address a fictitious “security vulnerability” in a project repository to which they have contributed or subscribed. These emails direct users to visit “github-scanner[.]com” for further information about the alleged security issue.

The ClickFix infection chain operates by deceiving users into clicking on buttons like “Verify you are a human” or “I am not a robot.” Once clicked, a malicious script is copied to the user’s clipboard. Users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method of trickery facilitates the infection process, making it easy for attackers to deploy malware.

Figure 2: Infection chain

Attack Vectors and Technical Analysis

As illustrated in the diagram, users are redirected to fake CAPTCHA pages through two main attack vectors:

1. Cracked Gaming Software Download URLs:

Users attempting to download pirated or cracked versions of gaming software are redirected to malicious CAPTCHA pages.

Figure 3: Search to download the cracked version of the game

When users search the Internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links.

Figure 4: Runkit directing the user to download the game

In this instance, a public Runkit notebook hosts the malicious link (highlighted in blue). When the user accesses the URL (highlighted in red), they are redirected to fake CAPTCHA websites.

Figure 5: Redirection happening while accessing the link

On this page, after the user clicks the “I’m not a robot” button, a malicious PowerShell script is copied to their clipboard, and they are prompted to execute it.

Figure 6: Backend script on the click button

The website includes JavaScript functionality that copies the script to the clipboard.

Figure 7: Decoded script

The script is Base64-encoded (highlighted in blue), to reduce the readability to the user. Upon decoding it (highlighted in red), mshta was found to be leveraged. The file hosted at https://verif.dlvideosfre[.]click/2ndhsoru contains a Windows binary, having scripts appended as the overlay. Without the overlay appended, the file is a clean Windows binary.

Figure 8: Windows binary with appended script

The mshta utility searches for the