Fake Captcha Tests Trick Users Into Running Malware
Microsoft’s security team has published an in-depth report into ClickFix, the social engineering attack which tricks users into executing malicious commands in the guise of proving their humanity.
ClickFix pretends to be a standard CAPTCHA challenge. But, instead of clicking squares with motorbikes in them, sliding a puzzle-piece into place, or rotating increasingly-bizarre objects to particular orientations, it demands that users do something . . . else.
The fake CAPTCHA tells them to hit the Windows/Super key and R, then Control and V followed by Enter – a combination which, any reader who’s used a computer for more than a week or so will likely recognize, opens up the Windows Run prompt, pastes whatever the attacker placed in the clipboard, and executes it. Imagine users smiling to themselves as they do this, thinking of how helpful they are being while crooks are helping themselves to unauthorized access.
“Over the past year,” the research team wrote of its findings, “Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day.”
Miscreants most famously used the ClickFix technique during a recent phishing campaign against Booking.com users. The attackers sent malicious emails to hospitality vendors with claims of negative reviews or customer queries, but when victims clicked through, they were taken to an attacker-controlled site which had a fake CAPTCHA test.
“Because ClickFix relies on human intervention to launch the malicious commands,” Microsoft’s researchers noted, “a campaign that uses this technique could get past conventional and automated security solutions.”
As for what ClickFix does, that’s entirely up to the attacker. Microsoft’s research found the most common payload to be Lumma Stealer, an info-stealer which has been blamed for tens of millions of dollars a year in credit card fraud and which was supposedly dismantled in an international effort back in May, though it appears to have only slowed, not stopped, those behind it.
Other confirmed payloads, which do not typically write a file to disk but instead operate in-memory, include the Xworm, AsyncRAT, NetSupport, and SectopRAT remote-access Trojans, file loaders including Latrodectus and MintsLoader, and rootkits including those based on the open-source r77 project.
As part of its report, Microsoft’s research team named an attack on Portuguese governmental, financial, and transportation organizations which used ClickFix to deploy the Lampion info-stealer. In this effort, the phishing emails delivered victims to a page which used ClickFix to download an obfuscated VBScript file, which downloaded another VBScript file, which downloaded yet another VBScript file responsible for checking for antivirus and other security measures before creating a .cmd file to deliver the final payload on a scheduled reboot.
That was all very clever, to be sure, except for one thing. “During our investigation,” the team noted, “the actual Lampion malware wasn’t delivered because the download command was commented out of the code.”
Microsoft’s report also details other variants of ClickFix which do not masquerade as a CAPTCHA, though Google reCAPTCHA and Cloudflare’s Turnstile proof-of-humanity platforms remain a popular choice of disguise. Some of the earliest recorded instances mimicked the “Aw, Snap!” crash report page in Google’s Chrome browser; others use Microsoft’s own error for a missing extension in Word Online. Yet more examples were found pretending to be Discord landing pages, part of a shift which the researchers posited was to “broaden their reach of potential targets.”
Researchers also discovered a ClickFix variant which eschews Windows in favor of Apple’s rival macOS. “Interestingly,” the researchers found, “the steps the lure displays even [for] macOS users are for Windows devices,” though the actual command is a bash script which snags the user’s login details, downloads a payload, disables macOS’ quarantine feature, and finally launches the malware.
As for how users can protect themselves, Microsoft’s advice is primarily education-based, along with the use of email filtering to reduce the number of phishing attempts that make it into users’ inboxes. The company’s report also advises that users should “block web pages from automatically running [Adobe] Flash plugins,” an unexpected piece of not-exactly-timely advice given that Adobe killed Flash Player more than four years ago.
Microsoft also recommends using PowerShell script block logging and execution policies, turning on optional Windows Terminal warnings that appear when pasting multiple lines, enabling app control policies which prevent the execution of native binaries from the Run command, and even deploying a group policy to remove the Run command from the Start Menu altogether. The report also includes a selection of indicators of compromise, for those who would like to incorporate them into their security scanning systems. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
