To Evade Detection, Hackers Are Requiring Targets To Complete CAPTCHAs

CAPTCHAs, those puzzles with muffled sounds or blurred or squiggly letters that websites use to filter out bots (often unsuccessfully), have been annoying end users for more than a decade. Now, the challenge-and-response tests are likely to vex targets in malware attacks. From a report: Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys. The Excel file contains macros that, when enabled, install GraceWire, a trojan that steals sensitive information such as passwords. The attacks are the work of a group Microsoft calls Chimborazo, which company researchers have been tracking since at least January. Previously, Microsoft observed Chimborazo distributing the Excel file in attachments included in phishing messages and later spreading through embedded Web links. In recent weeks, the group has begun sending phishing emails that change things up again. In some cases, the phishes include links that lead to redirector sites (usually legitimate sites that have been compromised). In other cases, the emails have an HTML attachment that contains a malicious iframe tag.

Either way, clicking on the link or attachment leads to a site where targets download the malicious file, but only after completing the CAPTCHA (which is short for completely automated public Turing test to tell computers and humans apart). The purpose: to thwart automated analysis defenders use to detect and block attacks and get attack campaigns shut down. Typically the analysis is performed by what are essentially bots that download malware samples and run and analyze them in virtual machines. Requiring the successful completion of a CAPTCHA means analysis will only happen when a live human being downloads the sample. Without the automation, the chances of the malicious file flying under the radar are much better. Microsoft has dubbed Chimborazo's ongoing attack campaign Dudear.

So... wait a minute

[Dutch Gun]

You actually have to solve a CAPTCHA to get yourself hacked? And an Excel macro? If I'm not mistaken, you have to jump through some fairly obvious hoops to open a file with scripted content downloaded from the internet. It's sort of amazing that this is still a problem.

We should just figure this is a test to determine people who will invariably install malware onto their machines no matter what, and take away their computers. Here, have a smartphone/tablet/Chromebook instead.

Re:So... wait a minute

[NoNonAlphaCharsHere]

It's an intelligence test administrated by the hackers. They want to make sure their victims are REALLY stupid.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sysrammer]

Funny! I always had wondered how anyone could fall for the various 419 and Nigerian scans, considering the usual poor grammar and syntax, then I heard a theory that this was a feature of the scam, to target the semi-literate. It makes a perverse sense, but I was never trained in advertising.

Re:So... wait a minute

[Solandri]

That's actually one of the drawbacks of trying to fix every problem by requiring a CAPTCHA. They become so ubiquitous, people become conditioned into solving them without thinking about it. Same problem as Windows privilege elevation dialog box in Vista - it was popping up so often, people got used to clicking Yes every time so they could hurry up and get back to working on their computers.

Re:

[ahodgson]

Except with Captchas we are supposed to just solve them mindlessly. They're to block bots not people.

Re:

[bobby]

I'll agree and take it a step further: psychological conditioning. CAPTCHAs are from the good guys, for good people, to keep out the bad guys, so completing one must be part of the way into the good and safe places, right?

Re:

[terminal.dk]

But at least permissions requests on Android is so rare that people always study them and makes informed decisions. NOT.

The Apple way is actually great, only once in a while are you prompted. And for few permissions only. Apps can not even request the bad ones.

Re:

[skids]

Maybe it was in the TFA I didn't read, but it looks like the captcha is on the website offering the file, not in a macro.

If it were in a macro, that would make it more dangerous as stuff like PanOS wildfire would not necessarily catch it. Being on the website, it'll get caught by any system which uploads samples from actual captures of production traffic... too late for the first few victims of course but the signatures would be rapidly deployed to the rest of the service subscribers.

Re:

[Dutch Gun]

Yeah, I got that. As I understand it, to get infected, people have to:

1) Fall for phishing and visit malicious site
2) Navigate through a captcha on malicious website
3) Download malicious Excel file
4) Open Excel file
5) Bypass security warnings in Excel that disable macros by default

Look, I get that computer security is hard for the average person. I find it really hard to blame someone if they click a single button, only halfway paying attention, and then Bam! But holy hell, at any one of these steps, did

Re:

[tlhIngan]

We should just figure this is a test to determine people who will invariably install malware onto their machines no matter what, and take away their computers. Here, have a smartphone/tablet/Chromebook instead.

Look up the Honor System Virus.

And yes, people are that stupid because of dancing bunnies [wikipedia.org].

Burger King ran a promotion where for every 10 people you unfriended, you got a free whopper - those people got a message saying their relationship was valued less than a whopper.

I'm sure it can be quite successf

Re:

[igelineau]

Actually, Google's reCAPTCHA V3 is based on a score threshold and doesn't require solving a challenge, it's all done in the background.

For the excel macro, I don't think most people care about big warnings hinting vague security risks, they just always click "Execute". We can thank Windows UAC for at least some of those behaviours...

Re:

[inthegreenwoods]

Yesterday I wasted 40 minutes trying to warn the Department of Home Services, here in Australia that they were being hacked. I was unable to get through because they were using a disfunctional CAPCHA to “protect” themselves. To work properly CAPCHAS require meaningful bandwidth. In order to protect their paymasters in the telecoms racket the government is assisting the cartel to restrict bandwidth because they are trying to pay off the unsustainable debt owing on their stranded assets. Then they

it makes it seem more legit

[gl4ss]

I think the actual reason to use it isn't to stop scanning as much as it is to just get the people to download and press yes yes yes after it.

also.. you've ever been sent a legit file on a "download once" link? yeah that didn't go well when I was last sent a file like that, slack scanned it for a preview and obviously no file for me and annoyances all around.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[freeze128]

Google owns reCAPTCHA.
Google owns Virus Total.
Google scans websites for malicious intent.

You would think that Google already has the resources to figure this out. Why not have the CAPTCHAs allow traffic from virus total?

Exactly

[backslashdot]

They won't just hack anyone, they need competent targets who are suited to the rigors of being a hack victim and can handle the stressload. In addition to standardized CAPTCHA testing they require two references, one of which must have supervised your getting hacked you in the past. Preferences given to those whose relatives haven't been hacked in the past.

Two pidgeons

[Alworx]

Maybe the captcha is from a site the bot is trying to brute-force?

Wrong focus

[Snotnose]

Of course they'll use CAPTCHAs to trick people. The real question is How The Holy Fucking Fuck Can A Spreadsheet Infuct Your Computer?

Solve the real problem, and the fake problem goes away.

Re:

[bobby]

You only need fertile soil for the weeds to flourish.

Can someone please explain to me...

[sinij]

... please explain to me why in 2020 it is still possible to install anything via excel macro?

Re:

[igelineau]

Mostly because of the past, retro-compatibility, and businesses built (almost) exclusively on a big pile of horrendous excel documents bloated with thousands of lines of VB code, doing all sort of complex things like create files, execute programs, use databases, etc. They want it to keep working even if they upgrade !

Re:

[tijgertje]

Microsoft should really start blocking those macro's by default (no override in the program) and that you can only re-enable it on OS-level with a GPO.
So that companies that really need it can turn it on, but the rest will be protected by default.

Re:

[grep -v '.*' *]

... please explain to me why in 2020 it is still possible to install anything via excel macro?

?? Huh?!? How else are you going to install Excel?

Nothing new

[terminal.dk]

We had users receiving phsihing mails with this link a few weeks ago:

https://src.vm-cellernote.xyz/... [vm-cellernote.xyz]

Not working anymore, in namecheap whois validation process - Not only did it use captcha, but the fake Microsoft login page picked company logo from https://logo.clearbit.com/slas... [clearbit.com] or https://logo.clearbit.com/met.... [clearbit.com] etc to have a customized login page with companylogo and all.

This should invite a simple solution

[mysidia]

The purpose: to thwart automated analysis defenders use to detect and block attacks and get attack campaigns shut down.

How about an update to block sites found in an e-mailed link containing CAPTCHAs or other form elements ?

And more generally... a browser addon and Search engine update to automatically consider URLs containing CAPTCHAs to be blocked as malicious; with the exception for those CAPTCHAs which are only presented on a page that appears in response to a non-scripted user submission of a HTT