The NJCCIC’s email security solution identified a fake CAPTCHA malware campaign sent to New Jersey State employees in an attempt to deliver the SectopRAT infostealer. The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges. In the background, the visited website copies a command to the target’s clipboard. The CAPTCHA prompts the target to verify their identity by opening a Windows Run dialog box and running the paste command.

The first part of the command triggers a legitimate Windows executable, mshta[.]exe, to fetch a malicious file from the specified domain and run it. The file type can be html, mp3, mp4, jpg, jpeg, swf, and others. This first part of the command is purposefully obfuscated so that the target only sees the last part of the pasted content stating “I am not a robot – reCAPTCHA Verification ID: ####” in the Windows Run dialog box, which prompts the user to click OK to verify their identity. If completed, the encoded PowerShell command runs in the background, and the target inadvertently downloads and executes SectopRAT.

Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries. A possible point of entry was an outdated PHP form that allowed threat actors to access the system and inject the malicious code. Additionally, the redirect links pointed to URLs of newly registered domains.

In a similar campaign, threat actors compromised a shared video service unique to auto dealerships in a supply chain attack. When active, auto dealership website visitors risk being infected with SectopRAT. Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box.

Recommendations

• If you encounter a suspicious CAPTCHA verification challenge, refrain from visiting the website or taking further action.
• Keep browsers and anti-virus/anti-malware software up to date.
• Keep systems up to date and apply patches after appropriate testing.
• Disable JavaScript in the browser before visiting unknown websites.
• Website administrators are advised to remove the malicious code and ensure the website is patched and updated.
• Verify all administrators and update the administrative credentials for the CMS platform.
• Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.