A recent wave of cyberattacks is exploiting Windows systems through deceptive CAPTCHA verification pages to deploy the StealC malware. This sophisticated social engineering scheme targets unsuspecting users, tricking them into executing harmful PowerShell commands under the guise of a routine security check.
Deceptive CAPTCHA Technique
The attack initiates when users visit compromised websites that appear legitimate. These sites employ fake Cloudflare security checks to mislead visitors. The fraudulent CAPTCHA page instructs users to press Windows Key + R, paste a hidden command, and then execute it, unknowingly launching malware.
Cybercriminals use this deceptive method, known as the ClickFix technique, exploiting user trust by mimicking a normal security procedure. As a result, victims inadvertently download malicious scripts that facilitate further attacks.
Complex Attack Chain
Researchers from LevelBlue have mapped out the multi-stage attack process. Initially, the malware downloads shellcode that is position-independent and reflectively loads a 64-bit PE downloader. This downloader then injects the StealC malware into legitimate Windows processes, evading conventional detection methods.
The primary targets include browser credentials from Chrome, Edge, and Firefox, cryptocurrency wallet extensions such as MetaMask and Coinbase Wallet, Steam account files, Outlook email credentials, and various system data.
Advanced Evasion Techniques
The StealC malware employs advanced fileless execution techniques, operating entirely in memory without leaving traces on the disk, thus making detection challenging. After executing the initial PowerShell command, it connects to a remote server to download additional shellcode, generated using the Donut framework.
This shellcode then loads a specially crafted PE downloader, compiled with Microsoft Visual C++, which retrieves the final payload and injects it into a legitimate Windows service process, svchost.exe. The malware communicates with its command-and-control server using encrypted HTTP traffic, employing Base64 and RC4 encoding for added obfuscation.
Organizations are advised to monitor for unusual User-Agent strings, flag encoded PowerShell executions, and detect patterns such as VirtualAlloc and CreateThread that indicate shellcode injection. Additionally, monitoring for abnormal access to browser credential databases can help in early detection.
For ongoing updates and insights on cybersecurity threats, follow us on Google News, LinkedIn, and X. Ensure your systems are protected against these evolving threats by staying informed and vigilant.
