The NJCCIC’s email security solution identified a fake CAPTCHA malware campaign sent to New Jersey State employees in an attempt to deliver the SectopRAT infostealer. The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges. In the background, the visited website copies a command to the target’s clipboard. The CAPTCHA prompts the target to verify their identity by opening a Windows Run dialog box and running the paste command.
The first part of the command triggers a legitimate Windows executable, mshta[.]exe, to fetch a malicious file from the specified domain and run it. The file type can be html, mp3, mp4, jpg, jpeg, swf, and others. This first part of the command is purposefully obfuscated so that the target only sees the last part of the pasted content stating “I am not a robot – reCAPTCHA Verification ID: ####” in the Windows Run dialog box, which prompts the user to click OK to verify their identity. If completed, the encoded PowerShell command runs in the background, and the target inadvertently downloads and executes SectopRAT.
Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries. A possible point of entry was an outdated PHP form that allowed threat actors to access the system and inject the malicious code. Additionally, the redirect links pointed to URLs of newly registered domains.
In a similar campaign, threat actors compromised a shared video service unique to auto dealerships in a supply chain attack. When active, auto dealership website visitors risk being infected with SectopRAT. Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box.
Recommendations
- If you encounter a suspicious CAPTCHA verification challenge, refrain from visiting the website or taking further action.
- Keep browsers and anti-virus/anti-malware software up to date.
- Keep systems up to date and apply patches after appropriate testing.
- Disable JavaScript in the browser before visiting unknown websites.
- Website administrators are advised to remove the malicious code and ensure the website is patched and updated.
- Verify all administrators and update the administrative credentials for the CMS platform.
- Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.
This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
- Android OS patch levels prior to 2025-03-05
|
Risk
Government:
– Large and medium government entities: High
– Small government entities: High
|
|
Businesses:
– Large and medium business entities: High
– Small business entities: High
|
|
- Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
- Restrict execution of code to a virtual environment on or in transit to an endpoint system.
|