CAPTCHAs, those puzzles with shiny things or hard or squiggly letters that websites use to filter out bots (usually unsuccessful), have been annoying end users for more than a decade. Now, challenge-and-response tests are possible to remove targets in a malware attack.
Microsoft recently noticed an attack group distributing a malicious Excel document on a site that required users to complete a CAPTCHA, possibly in an attempt to detect automation by the good guys. The Excel file contains macros that, when run, install GraceWire, a trojan that steals sensitive information such as passwords. The attacks are the work of a group Microsoft calls Chimborazo, which the company’s researchers have been tracking since at least January.
Previously, Microsoft noticed Chimborazo distributing Excel files as attachments in private messages and later spreading through embedded web links. In recent weeks, the group has started sending out cryptic emails that changed things again. In some cases, phishes include links that lead to legitimate sites (usually legitimate sites that have been hacked). In some cases, the emails contain a malicious HTML attachment iframe tag.
Either way, clicking on a link or attachment leads to a site where the target downloads a malicious file, but only after completing the CAPTCHA (which is short for the Turing test that everyone uses to tell computers and people apart). The purpose: to prevent automated analysis defenders use to detect and block attacks and allow attack campaigns to be shut down. Typically the analysis is done by what are special bots that download malware samples and run and analyze them in virtual machines.
Requiring successful completion of the CAPTCHA means analysis will only happen when a live person downloads the pattern. Without practice, the chances of a malicious file flying under the radar are very good. Microsoft has recorded Chimborazo Dudear’s ongoing attack campaign.
“CHIMBORAZO, the group behind the Dudear campaigns that steal the information of the GraceWire Trojan, have once again developed their methods in pursuit of constant detection,” the Microsoft Security Intelligence Group wrote in a Tweet on Wednesday. “The group uses websites with CAPTCHA to avoid automated analysis.”
CHIMBORAZO, the group behind Dudear’s information-stealing Trojan GraceWire campaigns, has developed their methods once again in pursuit of constant discovery. The group uses websites with CAPTCHA to avoid automatic analysis. pic.twitter.com/Kz3cdwYDd7
— Microsoft Security Intel (@MsftSecIntel) June 17, 2020
The attack flow looks like this:
Microsoft Security Intelligence
In a campaign Intelligence Security Team cover in January, Chimborazo used an IP tracking service to track the IP addresses of the machines that downloaded the malicious Excel file, presumably to also avoid automated detection. Back then, it was the first time Microsoft had seen Chimborazo use reset points.
Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the use of CAPTCHA in malware attacks is rare but not unprecedented. He pointed out this tweet since late December has been doing the same thing. In that case the attackers need targets to complete a CAPTCHA which is an attack of Google’s reCAPTCHA function. While fake, it serves the same purpose as a real one—to prevent automated analysis by requiring a real person to download the file.
A CAPTCHA detected by Microsoft may also be a fake reCAPTCHA. The evidence: as seen in the image at the top of this post, it says reCAPTCHA and below it says it provides “DDoS Protection by Cloudflare.” Those are two separate jobs. (Then again, as one commenter noted, it’s possible that the attackers used both services separately.) Google representatives did not immediately respond to an email seeking comment for this post.
Periodically changing attack routes is one way that attackers stay ahead of defenders, creating a never-ending back-and-forth pattern that requires constant vigilance for defenders to stay on top. It is likely that the attacking team will change course again in the coming months.
Post an update to add comments in the second-to-last paragraph.