ReliaQuest reveals increase in malware via fake CAPTCHA pages

ReliaQuest has published a research report highlighting the increase in malicious campaigns that use fake CAPTCHA pages for malware distribution.

From October to early December 2024, ReliaQuest customers reported nearly double the number of fake CAPTCHA websites compared to the previous month, September. This rise was potentially caused by the public availability of the templates used in these campaigns, which provided threat actors with easy access to copy the tactics.

The research identified malware campaigns using fake CAPTCHA pages that mimic services such as Google and CloudFlare, which trick users into executing commands via the Windows Run prompt. This typically results in the installation of information stealers and remote-access trojans (RATs) that can steal sensitive data and provide ongoing access to the compromised systems.

"Cyber adversaries are constantly inventing new ways to outsmart defences and exploit unsuspecting users," remarked a ReliaQuest representative in the report. "The rapid proliferation of these tools underscores the need for timely and adaptive defensive measures."

To aid in preventing these attacks, ReliaQuest suggests organisations educate employees about the risks of fake CAPTCHAs and implement detection strategies to block known indicators of compromise.

The report also documents how attackers employ these tactics, indicating that the process begins with redirecting users to a fake CAPTCHA page that mimetically resembles trusted CAPTCHA services. Users unwittingly copy and paste a malicious command into a Windows Run prompt, leading to malware installation.

One noted case study involved a retail trade customer encountering a fake CAPTCHA that was being used to facilitate the downloading of harmful files, using tools such as MSHTA.exe to discreetly handle the subsequent stages of the infection.

In response to these threats, ReliaQuest detailed how their GreyMatter platform detected and isolated the affected system. A series of automated responses including session revocation and IOC blocking were executed to contain the threat.

Highlighting the threat's persistence, ReliaQuest noted that targeted training should empower users to recognise malicious activities, such as when websites prompt unexpected command execution. Additionally, restricting certain browser functions and enabling safer scripting modes can bolster defenses against these threats.

The report also emphasised the growing sophistication of the campaigns, pointing out that advanced threat actors, including groups like APT28, have begun employing similar strategies to those used traditionally by lower-tier cybercriminals, indicating the tactic's effectiveness.

ReliaQuest continues to monitor these evolving threats, homing in on the methods of attack delivery. They utilise pre-established detection rules to identify common malware delivery techniques even as fake CAPTCHA methods adapt and refine.

The report concludes by projecting that threat actors will continue developing their CAPTCHA-targeting strategies, presenting a significant risk. Emphasising a layered security strategy, ReliaQuest urges organisations to adopt multiple security measures to stave off these advancing threats and maintain a resilient security posture.