Threat actors are increasingly looking to trick targets into infecting themselves with malware via phony CAPTCHA checks.HP Wolf said in its quarterly Threat Insight Report that attackers are more reliant in the phony checks as a method for tricking their targets into downloading and running malware that can be used as a foothold for larger-scale network intrusions and ransomware attacks.Designed to filter out genuine users from scripted bots, CAPTCHA tests have become a routine for most end users when logging into a new service or returning after a long absence.It is this familiarity that is allowing threat actors to turn supposed CAPTCHA checks into an opportunity to install malware.In the attack, the user is given a phony test with instructions to open the Windows Run menu and then copy and paste a script which tells the system to download and execute a trojan. From there, the attacker is able to establish a link with a command-and-control server and then pivot to attack other systems on the network.The attack is effective not only because it plays on the user’s own complacency around filling CAPTCHA tests, but also because direct input from an authorized user is far more likely to evade anti-malware protections.“We’ve seen attackers rely on cloud hosting providers that give away free credits to new users — providing, in many cases, enough resources to run a malware campaign,” the HP researchers said.“Hosting on legitimate cloud hosting services helps attackers circumvent detection because the IP addresses and domains are often reputable, enabling threat actors to bypass network security like web proxies that rely on web reputation.”In one observed attack, the HP Wolf team observed the threat actors using the guise of a CAPTCHA test to trick users into copying and pasting a PowerShell script that proceeded to download and executive the malware payload itself without triggering any alerts from security tools.HP Wolf researchers are not the only security team to spot attacks which prey on users via phony CAPTCHA tests. Earlier this month researchers, with Microsoft published a report on an ongoing attack against hospitality companies that used a similar tactic to dupe targets into infecting themselves with information-stealing malware, a tactic the Redmond researchers dubbed “ClickFix.”In any case, it is recommended that administrators guard from attacks by limiting the ability of end-user accounts to both copy and execute commands in Windows unless absolutely necessary.“To mitigate fake CAPTCHA social engineering attacks, HP Sure Click Enterprise customers can configure their deployments to disable clipboard sharing,” HP Wolf said.“More generally, if users do not need access to the Windows Run prompt, administrators can disable this feature through Group Policy.”
