FAKE CAPTCHA MALWARE EXPLOITS WINDOWS USERS TO RUN POWERSHELL COMMANDS
In early February 2025, Trustwave SpiderLabs uncovered a new wave of malicious activity targeting Windows users. This campaign uses deceptive CAPTCHA prompts to deliver malware, leading users into executing PowerShell commands as part of a sophisticated multi-stage attack. The ultimate goal of these attacks is to deploy infostealer malware, such as Lumma and Vidar, which exfiltrate sensitive data and ensure persistence on infected systems.
The Attack Chain: How It Works
The attack begins when users encounter a fake CAPTCHA prompt on compromised websites. Instead of verifying the user’s identity, this CAPTCHA triggers a PowerShell script designed to download and execute further malicious payloads. This triggers a multi-stage process, which eventually leads to the deployment of infostealers that are capable of extracting credentials and other sensitive information.
Technical Breakdown: How the Attack Unfolds
The attackers use a complex series of techniques to execute their malicious payloads and evade detection. Here’s a step-by-step look at the attack chain:
- Fake CAPTCHA Prompt:
The user is prompted with a fake CAPTCHA verification, which is actually a trick to initiate the execution of a malicious PowerShell script. - PowerShell Command Execution:
The initial PowerShell command leverages mshta to retrieve and execute a remote HTA (HTML Application) file. This file, in turn, triggers another PowerShell script to continue the malicious process. - Decryption of Further Payloads:
The script decrypts additional commands, executing a series of obfuscated steps to deploy the final payload infostealer malware. The decryption process involves multiple layers, including Base64 decoding and XOR operations to hide malicious URLs and commands from security tools.
Evasion Techniques and Payload Delivery
The attackers employ a variety of tactics to evade detection and improve the likelihood of a successful attack:
- Obfuscation Techniques:
The malicious PowerShell script is often obfuscated, with large file sizes to evade sandbox analysis. The script is broken into multiple stages, each of which hides its true intent from security solutions. - Bypassing Security Tools:
To further evade detection, the malware uses the .NET Marshal class to decrypt SecureString data, allowing the malware to perform sensitive operations without triggering security alarms. It also bypasses PowerShell execution policies and retrieves malicious payloads from various sources. - XOR Encryption:
To ensure the payload remains hidden, the decryption process uses an XOR key stored in a variable, making it difficult for security tools to identify the malicious script as it passes through multiple stages.
The Final Payload: Infostealers and Backdoors
At the final stage, the malware delivers a combination of Lumma Stealer and Vidar Stealer, both of which are capable of extracting sensitive information, such as credentials and other personal data, from the infected system.
Additionally, a Golang-based backdoor called HijackLoader is deployed through a malicious software package disguised as “TiVo Desktop.” The package is approximately 700MB in size, likely intended to evade antivirus software by inflating its size.
Advanced Defense Evasion Tactics:
To ensure persistence and avoid detection, attackers employ tactics such as disabling event logging, renaming system utilities, and hiding execution windows.
What You Can Do: Mitigation and Protection
As this threat remains active, organizations should:
- Remain cautious of deceptive CAPTCHA prompts and other similar social engineering tactics.
- Implement robust security measures such as endpoint detection and response (EDR) systems and advanced malware protection.
- Employ network-level defenses to detect unusual activity, such as PowerShell command execution or suspicious file downloads.
- Regularly update and patch systems to close vulnerabilities that could be exploited by attackers.
Stay Safe, Stay Vigilant
As the cybersecurity landscape continues to evolve, it is critical for organizations to remain proactive in defending against sophisticated, multi-stage attacks like this one. By staying informed and implementing comprehensive security measures, businesses can better protect themselves from increasingly complex threats.
For more cybersecurity insights, follow our CyberTea series and keep your defenses strong against the latest threats.
