FOCUS MODE
EXTRACT IOC
Threat Research

Fake CAPTCHA Malware Campaign: How Cybercriminals Use Deceptive Verifications to Distribute Malware

Cyfirma
Fake CAPTCHA Malware Campaign: How Cybercriminals Use Deceptive Verifications to Distribute Malware
The rise of the “ClickFix” technique has enabled cybercriminals to exploit fake CAPTCHA verification processes, facilitating sophisticated phishing and malware distribution campaigns. Through deceptive methods, such as mimicking legitimate security checks, threat actors can deliver malware like Lumma Stealer, steal sensitive information, and bypass security measures. Thus, users must remain vigilant against such attacks. Affected: Users, Organizations, Cybersecurity Sector

Keypoints :

  • Cybercriminals are using fake CAPTCHA pages to execute phishing and malware campaigns.
  • The technique, named “ClickFix,” exploits the user’s trust in legitimate CAPTCHA systems.
  • Lumma Stealer malware is using this method to deceive users and deploy malicious payloads.
  • Attackers use social engineering and browser-based exploits to bypass traditional security defenses.
  • The PowerShell script used in the attack fetches and runs malicious payloads from external servers.
  • Lumma Stealer targets sensitive browser data, including credentials, cryptocurrency assets, credit card information, and 2FA data.
  • Users are advised to exercise caution when interacting with unexpected CAPTCHA prompts.
  • Education and advanced security measures are necessary to mitigate these attacks.

MITRE Techniques :

  • Initial Access: T1566.001 – Phishing: Spear Phishing Attachment: Using phishing to access users.
  • Execution: T1059.001 – Command and Scripting Interpreter: PowerShell: Utilizing PowerShell scripts to execute malicious code.
  • Persistence: T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Maintaining persistence through registry modifications.
  • Privilege Escalation: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Access Control: Bypassing User Access Control to gain elevated privileges.
  • Defense Evasion: T1027 – Obfuscated Files or Information: Hiding malicious activities to evade detection.
  • Defense Evasion: T1070.004 – Indicator: File Deletion: Deleting files to cover tracks.
  • Credential Access: T1555 – Credentials from Password Stores: Extracting credentials stored in browsers.
  • Credential Access: T1557.001 – Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay: Exploiting network protocols for credential theft.
  • Discovery: T1083 – File and Directory Discovery: Discovering file and directory structures for sensitive information.
  • Collection: T1114 – Email Collection: Gathering user email information.
  • Collection: T1560.001 – Archive Collected Data: Archive via Utility: Archiving stolen data.
  • Exfiltration: T1567.002 – Exfiltration to Cloud Storage: Sending stolen data to external cloud services.
  • Impact: T1490 – Inhibit System Recovery: Preventing system recovery options as an impact of the attack.

Indicator of Compromise :

  • [URL] hXXps[:]//inf-human[.]com/cf/verify/7362731/check
  • [Domain] pepegich[.]live
  • [Domain] inf-human[.]com
  • [Domain] dreter-bio[.]com
  • [SHA256] 891d0f865aeb0d2f3bb5b80aee858b9446b1a17f96fcbabe5984c815c8f6e9cd


Full Story: https://www.cyfirma.com/research/fake-captcha-malware-campaign-how-cybercriminals-use-deceptive-verifications-to-distribute-malware/

Tags: FINANCIAL, COLLECTION, BROWSER, PASSWORD, INITIAL ACCESS, EXFILTRATION, CLOUD, PRIVILEGE