Crypto Alert: Fake CAPTCHA Verification Leads to Dangerous Malware Infection

Cybersecurity analysts in New Jersey have flagged a concerning malware scheme this week, targeting government employees with deceptive CAPTCHA challenges. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) reported on March 20 that attackers are sending emails to state workers, directing them to fraudulent or compromised websites disguised as security checks.

Fake CAPTCHA Pages Trick Users

These emails contain links that lead to malicious websites showing fake CAPTCHA verification pages. These deceptive challenges are cleverly designed to mislead users and prompt them into running dangerous commands. The goal of the attackers is to secretly install the SectopRAT infostealer onto the victim’s system. What makes this attack more dangerous is how convincing the fake CAPTCHA pages appear, making users believe they are simply completing a standard security step.

The Clipboard Trick and Windows Run Exploit

The attackers used a sneaky clipboard-based trick that hid their true intentions. Victims who clicked the malicious link were redirected to a spoofed CAPTCHA page that secretly passed a command onto the clipboard. The page then asked them to paste the command into the Windows Run command dialogue box, all in the guise of a verification process. Although the last line of the copied text read like a simple message “I am not a robot – reCAPTCHA Verification ID: ####” Running this command launched mshta.exe. This is a legitimate Windows tool that attackers exploited to fetch and run malware, disguised as common file types, from remote servers.

Compromised Websites and Supply Chain Risk

Further analysis by NJCCIC revealed that the websites used in this campaign were compromised and built on widely used technologies, including the WordPress Content Management System (CMS) and common JavaScript libraries. 

The attackers didn’t stop there. Investigators also discovered a supply chain component targeting auto dealership websites through a compromised video service. This meant that even visitors to these infected dealership websites were at risk of unknowingly downloading the same infostealer.

Related Malware Campaigns and Security Recommendations

Other campaigns with different malware types such as Lumma and Vidar infostealers and rootkits with stealth capabilities were detected by researchers. The attacks highlight how the threat actors continue to come up with new attack patterns with underhanded techniques to hijack devices and steal sensitive data. Users should be made aware that legitimate CAPTCHA verification tests never ask them to copy commands into a Windows Run dialogue box.

Officials strongly advise system administrators to update all software regularly, protect CMS platform credentials, and report suspicious activity to the FBI’s Internet Crime Complaint Center and NJCCIC. 

This incident is a reminder that even the smallest security measures, like CAPTCHAs, can lead you into traps. Staying alert, being suspicious of odd directions, and practising good cybersecurity practices are needed in order not to be a victim of such sophisticated attacks.