How hackers use CAPTCHA to evade automated detection


CAPTCHA seems to be everywhere we look. These sloppy characters are on blogs, ticket websites, shopping portals — you name it. Those cars you need to spot in a block of images before you can access a website? That’s CAPTCHA too. CAPTCHA was invented to help sites distinguish human users from bots and automated hacking tools. But little did its creators know that cybercriminals would one day be leveraging it to bypass automated detection.

Microsoft recently announced that its Security Intelligence team had identified a malicious Excel campaign involving CAPTCHA. As per the company’s statement, the cybercriminal group CHIMBORAZO is distributing infected Excel documents that redirect users to a Cloudflare DDoS protection page featuring Google reCAPTCHA. Solving the CAPTCHA puzzle then downloads a malicious .xls/.xlsm file, which then infects the victim’s computer with the password-stealing GraceWire Trojan. 

CAPTCHA Excel malware named Campaign Dudear

Microsoft said that the company has been tracking Chimborazo’s activities since January 2020. The group behind the Dudear campaigns involving info-stealing HTML redirectors are now using advanced methods to evade detection. Requiring users to complete CAPTCHA allows hackers to bypass automated analysis that security programs use to identify and block attacks. 

Typically, email virus detectors examine files for exploitable code, drivers, libraries and so on upon the first click. Other programs collect malware samples and execute them in virtual machines for thorough analysis. But requiring a CAPTCHA means the analysis can only be done after the user downloads a malicious file. So the automated analysis gets put on the back burner, increasing the odds of the exploitable code escaping detection and helping adversaries deploy GraceWire. 

Microsoft dubbed the ongoing CAPTCHA Excel campaign Dudear, as it’s the part of a bigger phishing campaign aiming to inject the GraceWire payload in users’ systems.

Adversaries (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: