Lets start with what is CAPTCHA?
CAPTCHA is an acronym that stands for "Completely Automated Public Turing Test to tell Computers and Humans Apart" and is a type of challenge-response test used in computing to determine whether the user is human, and in doing so deter bot attacks and spam.
Everybody that uses the internet regularly would have received many of these challenges in the past and never encountered an issue. However they can also be used with malicious intent. This activity is not isolated to malicious websites, and in recent weeks we have seen an increase in legitimate sites that have been compromised and which present a fake CAPTCHA screen to the end user.
The ultimate aim of the attacker is to get unsuspecting users to fall victim to crafted CAPTCHA/ Verification error messages in order to infect user devices to exfiltrate data for a variety of reasons that may include the theft of bit coin wallets, passwords, browsing history data or personally identifiable information.
This initial access technique first reported in 2024, is proliferating due to its efficacy and comes in different guises, with the end goal to install malware on the users asset. A large amount of incidents are reporting the LummaStealer malware as the payload but this is not unique.
The process that the exploit follows in an incident identified by CND is detailed below:-
After a short period of time browsing an infected website, the user receives a fake CLOUDFLARE CAPTCHA screen asking them to verify that they are human. See Figure 1.
Upon checking the 'Verify you are human' box a second pop up screen is presented. See Figure 2.
This window encourages the user to click the "Fix It" button suggesting it will start Windows Defender and fix the issue.
Upon clicking the "Fix It" button, a third window is displayed that presents instructions for the user to complete. See Figure 3.
What has happened in the background by clicking the "Fix It" button is that it has copied a PowerShell script into your clipboard. PowerShell is a powerful command line tool and scripting language for managing and automating tasks and we shall return to the script in a moment.
Figure 3 shows the user being asked to complete the following key combination to complete the fix. Windows + R and then Ctrl + V, followed by Enter. The Windows + R command opens a 'Run' box and Ctrl + V pastes the PowerShell script from the clipboard that was placed there by hitting the "Fix It" button. The user then executes the PowerShell command by selecting Enter.
The PowerShell script could be anything that the attacker has written, but in recent weeks the script retrieves a malicious file from another website, which is downloaded and installed on the users asset.
By following the key combination from Figure 3, this user initiated activity bypasses web browser controls, which may have otherwise prevented the download from occurring.
This attack downloads and installs legitimate tools alongside malicious files as part of the infection process and part of the malware installation process includes a persistence technique that ensures that the files are run every time the machine is restarted.
The files are predominantly installed and run in the C:\Users\(Username)\ AppData\Local directories although other files were installed in Temp folders. CND observed the malicious payload creating and storing a .lnk file in the users Start Up folder.
Mitigation of this type of threat starts with user training. Ensuring staff are aware of the threat increases their understanding of this type of attack and minimises the likelihood that they would be enticed to complete the keyboard instructions necessary for this attack to be successful.
Additionally, it is advised that browser history retention is minimised where possible to limit the amount of data that could be exfiltrated. Removing the ability to access the 'run' dialogue box and 'cmd' prompt is also recommended to prevent this attack deceiving users into unintentionally executing the PowerShell command.
In the event that the attack was successful, the asset should be removed from the network at the earliest opportunity. As the payload downloaded by the PowerShell command may differ from attacker to attacker analysis of the assets logs is imperative to identify the malwares follow on TTP's.
Where possible a full forensic investigation of the infected asset should be considered to identify the extent of any data breach and if the breach contains data that would necessitate disclosure to the relevant authorities.
Any Indicator of Compromise identified through the investigation process such as Command & Control IP addresses/ URL's, should be considered for inclusion in any future monitoring and identification processes that you have on site. Consideration should also be given to releasing this information to the OSINT community.
The affected user should change all of their passwords regardless of whether they are stored in the browser or a password manager.
Finally, before the asset is reintroduced to the network, it should be flattened and rebuilt with a fresh image. The level at which the device is wiped depends on a multitude of factors such as the type of malware initially installed, the level of persistence introduced, etc.
Upon reintroduction of the new user asset, their account may require enhanced monitoring for a period of time to ensue that any details stolen by the attacker are not used to regain access to the account.
In conclusion, a simple yet effective tactic is gaining popularity amongst threat actors targeting unsuspecting users. This initial access type allows threat actors to install their malware and carry out nefarious activities that may bypass existing security measures. Educating users about this threat type is imperative to enhance the security of your network.