Full Report
From Oct to early Dec 2024, our customers observed nearly twice as many fake CAPTCHA websites compared to September, likely the result of researchers releasing the templates used for these campaigns.
Analysis Summary
# Tool/Technique: Fake CAPTCHA Clipboard Hijacking
## Overview
This describes an attack chain leveraging deceptive CAPTCHA pages (mimicking trusted services like Google or CloudFlare) to trick users into executing malicious commands silently copied to their clipboard via JavaScript, leading to malware installation, often involving information stealers and RATs.
## Technical Details
- Type: Technique (Social Engineering / Execution Chain)
- Platform: Windows (due to explicit mention of the Windows Run prompt)
- Capabilities: Deceptive user interface, automatic clipboard modification, command execution facilitation.
- First Seen: Not explicitly specified, but noted as an "increasing number" of campaigns.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1566.001 - Spearphishing Attachment (Conceptual link to payload delivery)
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- **T1059.005 - Visual Basic** (Often used in pasted commands)
- T1119 - Automated Collection (If infostealers/RATs are deployed)
## Functionality
### Core Capabilities
- **Deceptive Interface:** Presenting fake CAPTCHA challenges to appear legitimate.
- **Clipboard Hijacking:** Utilizing JavaScript to silently write malicious commands directly to the user's clipboard upon page load.
- **Social Engineering:** Instructing the user (via the deceptive page or subsequent steps) to open the Windows Run prompt and paste the copied command.
### Advanced Features
- Infection chains often deploy pre-stage malware such as Information-Stealing Malware (Infostealers) or Remote Access Trojans (RATs) to establish persistence and exfiltrate data.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context, only the associated compromised domain]
- Behavioral Indicators:
- Program execution initiated via pasting content into the Windows Run prompt (`Win+R`).
- Detection of navigation to suspicious domains that serve CAPTCHA-like content.
## Associated Threat Actors
- APT28 (Identified as successfully employing these tactics)
- General cybercriminals distributing Infostealers and RATs.
## Detection Methods
- Signature-based detection: [Not provided in context]
- Behavioral detection: Monitoring for unusual command execution originating from user input sources (like the Run prompt) used immediately after visiting certain websites. Monitoring for JavaScript code that targets the `clipboardData` object or similar APIs unauthorizedly.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **Employee Education:** Train users to recognize the risks associated with fake CAPTCHAs and to be suspicious of instructions requiring them to paste commands into the Run prompt.
- **Technical Controls:** Implement web filtering to block access to known malicious redirection domains.
- **System Hardening:** Minimize user privileges where possible to limit the scope of malware downloaded via user execution.
## Related Tools/Techniques
- Clipboard hijacking techniques used in other phishing campaigns.
- Techniques relying on LNK files or running commands disguised as benign content.
- Other social engineering tactics that rely on user interaction with trusted application features (like PowerShell or Run prompt).