Fake CAPTCHAs used for malware infection

Cybercriminals are increasingly using fake “I’m not a robot” CAPTCHAs for multi-stage malware infection chains, relying on users’ increasing willingness to click.

HP Inc. released its latest HP Threat Insights Report at the annual Amplify conference. The report focuses on the increasing use of fake CAPTCHA verification tests by threat actors to trick users into infecting themselves. The campaigns show that attackers are taking advantage of the fact that people are getting used to completing multiple authentication steps online – a trend HP calls “click tolerance”.

By analyzing real-world cyber attacks , the report helps organizations keep up with the latest techniques cyber criminals are using to prevent malware from being detected and penetrating PCs.Based on data from millions of endpoints running HP Wolf Security, the threat researchers identified the following campaigns, among others:

• CAPTCHA Me If You Can: As bots get better at bypassing CAPTCHAs, authentication has become more complex. As a result, users have become accustomed to having to prove they are human more often. HP Threat Researchers identified several campaigns in which attackers created malicious CAPTCHAs. Users were directed to websites controlled by the attackers and asked to fulfill a series of fake authentication requirements. Finally, victims were tricked into running a malicious PowerShell command on their PC that installed the Lumma Stealer Remote Access Trojan (RAT).
• Attackers access users’ webcams and microphones to spy on their victims: In another campaign, attackers distributed an open-source RAT, XenoRAT, with advanced surveillance features such as microphone and webcam recording. Using social engineering techniques, cyber criminals convinced users to enable macros in Word and Excel documents to control devices, exfiltrate data and log keystrokes – showing that Word and Excel are still a risk for malware distribution.
• Python scripts for SVG smuggling: Another campaign shows how threat actors are injecting malicious JavaScript code into scalable vector graphic (SVG) images to evade detection. These images are opened by default in web browsers and execute the embedded code to distribute seven payloads – including RATs and Infostealers – that provide redundancy and monetization opportunities for the attacker. As part of the infection chain, they also used obfuscated Python scripts to install the malware. The popularity of Python continues to grow due to the increasing interest in AI and data science. This means that this language is increasingly attractive for attackers to write malware thanks to the widely used interpreter.

Common campaign denominator

Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, explains: “The campaigns use obfuscation and anti-analysis techniques to slow down investigations. Even such simple but effective techniques can delay detection and response by security teams – making it more difficult to contain an infection. By using methods such as direct system calls, attackers make it difficult for security tools to record malicious activity. This gives cyber criminals more time to operate undetected and compromise victims’ devices.”

By isolating threats that have evaded detection tools on PCs, but have nevertheless been neutralized in secure containers, HP Wolf Security has specific insight into the latest techniques used by cyber criminals. To date, customers have clicked on more than 65 billion email attachments, web pages and downloaded files without a breach being reported.

The report, which examines data from Q4 2024, shows how cybercriminals continue to diversify their attack methods to evade detection-dependent security tools.

• At least eleven percent of the email threats identified by HP Sure Click bypassed one or more email gateway scanners.
• Executable files were the most popular type of malware (43 percent), followed by archive files (32 percent).

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc. comments: “Multi-factor authentication is now the norm. This increases our ‘click tolerance’. The analysis shows that users are taking multiple steps along an infection chain, highlighting the shortcomings of cyber awareness training. Companies are in competition with attackers. This is being accelerated by AI. To combat the increasingly unpredictable threats, companies should focus on reducing their attack surface by isolating high-risk actions – for example, clicking on things that could harm them. That way, they don’t have to anticipate the next attack; they’re already protected.”

(cm/hp)