Security operations · 4 MIN READ · AARON WALTON · OCT 17, 2024 · TAGS: MDR
TL;DR
This is a summary of what you’ll find in each blog in this series:
- Volume I: Q3 by the numbers
- Volume II: CAPTCHA trick or treat. We look at the rising fad of using CAPTCHAs and fake error messages to trick users into executing malicious code on their own devices.
- Volume III: Malware trends. Infostealer malware—specifically Lumma—is trending, so we discuss recommendations.
- Volume IV: Identity trends. Phishing-as-a-service (PhaaS) continues to rise in popularity; we offer recommendations to detect their use.
- Volume V: Spotlight—preparing for software supply chain risks. We look at risks that exist now (and into the future) that need addressed to ensure a secure software supply chain.
Trick or treat!
Over the last quarter, we’ve observed an increasingly popular social engineering tactic that malware distributors use to trick users into infecting their own computers. A user receives a pop-up instructing them to take action by running commands to fix a browser issue, or perform actions to complete a CAPTCHA. The webpage provides the user with a malicious script to run and instructs them on how to run it, but the script given to the user is usually capable of retrieving additional content to execute.
Leaving the light on
The tactic was discussed in depth in March by Proofpoint. The threat actor installs a pop-up on compromised websites, so when a potential victim visits, the user receives a message claiming that they need to run attacker-supplied code to fix an error with their browser (that doesn’t actually exist).
Since that tactic started being used in March, other cybercriminals have started to use it too. It’s becoming a trend that we expect to see more of in the future. The tactic is becoming popular because, unlike other infection vectors, it doesn’t require a vulnerability but instead relies on tricking users and abusing weak security settings.
Something for the sports fans
The fake CAPTCHA version of this scheme is shown below, and it was found while visiting a sketchy sports-streaming website, where impatient victims are more likely to run code to start watching games faster.
In this fake CAPTCHA scheme, the webpage automatically places content to the user’s clipboard without asking for permission. It then instructs the user to perform the following actions:
- Launch the Windows Run program by pressing the Windows-key+R combination.
- Paste the clipboard content with the CTRL+V key combo.
- Run the pasted code by pressing the enter key.
In these instances, the script is a short line of base64-encoded PowerShell, designed to reach out and collect an additional script from the attacker’s infrastructure. Most frequently, we observe this tactic being used to download and execute infostealer malware. This campaign was documented in depth by Orange CyberSecurity.
Sent to inbox
We’ve also observed multiple actors attempting to send a similar lure to their targets’ inboxes. The tactic was covered by John Hammond, so cybercriminals leveraged his proof-of-concept on a malicious website they named “github-scanner[.]com.” After creating the website, the criminals opened comments on GitHub repositories claiming that a problem needed to be addressed and more information could be found on their website.
The attacker then deleted the comments on GitHub knowing that by default, comments on a repository will send the owner emails with the content of the comment. Visitors to the website would be met by a similar captcha as the one above. If the fake captcha on github-scanner[.]com was completed, the victim would unknowingly receive and execute an infostealer malware.
For all ages
Cybercriminals with long-running email campaigns are joining the fad, too. On September 23, an HTML file was uploaded to the public malware repository MalwareBazaar. When opened, the HTML attachment is designed to show a webpage with an image of Microsoft Word in the background, and a popup designed to look like an error message.
Like the CAPTCHA page, this HTML document will also put a malicious script into the user’s clipboard for them to execute as instructed. In this instance, the payload will download and execute a Dynamic Link Library (DLL), loading a Brute Ratel malware implant and Lactrodectus initial access malware. The actor deploying this malware is known for selling access to ransomware gangs.
Treats, no tricks
Browsers shouldn’t allow websites to access the clipboard without permission, but the current technique circumvents restrictions, or breaks the feature that blocks the change. We have some recommendations for resolution, whether the issue is fixed soon (or not).
Stronger security settings that can help mitigate this attack include:
- Restricting the ability to run processes with administrative permissions to only users who need it, and instituting a just-in-time methodology, so highly-privileged users only have administrative privileges temporarily as needed.
- Deploying endpoint detection and response tools on your company’s assets to review and prevent many of these attacks. Be sure it’s installed on both endpoints and servers.
- Limiting PowerShell access for standard users as much as possible. Consider tools like Windows Defender Application Control (WDAC) and AppLocker. These mitigation options can block other download tools used by attackers too, such as wget, curl, and certutil.
- Requiring PowerShell to operate in Constrained Language mode. This will severely limit the capabilities of PowerShell, and block many of the common cmdlets used to download the attacker’s main payload.
- Educating users on the threat these attack vectors carry to prepare them for the inevitable.
- Ensuring PowerShell script block logging is enabled to allow any suspicious activity to be reviewed.
If you want to learn more about infostealer malware, be sure to read the next post in this series: Volume III: Malware trends.
Questions? Just want to chat? Drop us a line.
About these reports
The trends described in our QTRs are based on incidents our security operations center (SOC) identified through investigations, alerts, email submissions, or threat hunting leads in the third quarter (Q3) of 2024. We analyzed incidents across our customer base, which includes organizations of all sizes, in many industries, and with differing security maturity levels. In the process, we sought patterns and attacker tendencies to help guide strategic decision-making and operational processes for your team.
