Full Report
During an Advanced Continual Threat Hunt (ACTH) investigation in early February 2025, Trustwave SpiderLabs discovered a resurgence of fake CAPTCHA verifications designed to deceive victims into executing malicious PowerShell scripts. This campaign employs a multi-stage PowerShell execution process, ultimately delivering infostealers such as Lumma and Vidar.
Analysis Summary
# Tool/Technique: Fake Captcha Malware Campaign
## Overview
This summary details a malware campaign that leverages deceptive "captcha" lures to trick users into executing malicious files. The campaign utilizes a variety of techniques for execution, privilege escalation, defense evasion, credential access, discovery, and command and control, as documented by Trustwave's threat hunting efforts.
## Technical Details
- Type: Malware Campaign / Collection of Techniques
- Platform: Windows (Implied by techniques like Scheduled Task, PowerShell, Regsvr32, and Windows Event Logging manipulation)
- Capabilities: Execution via user interaction with a malicious file, persistence via scheduled tasks, credential harvesting, and system information gathering.
- First Seen: Not explicitly stated, but described as a "Resurgence."
## MITRE ATT&CK Mapping
The campaign heavily utilizes the following tactics and techniques:
- **Execution**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File
- **Privilege Escalation**
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- **Defense Evasion**
- T1036.003 - Masquerading: Rename System Utilities
- T1218.010 - System Binary Proxy Execution: Regsvr32
- T1562.002 - Impair Defenses: Disable Windows Event Logging
- T1564.003 - Hide Artifacts: Hidden Window
- **Credential Access**
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
- **Discovery**
- T1012 - Query Registry
- T1033 - System Owner/User Discovery
- T1082 - System Information Discovery
- T1518 - Software Discovery
- T1614 - System Location Discovery
- **Command and Control**
- T1071 - Application Layer Protocol
- T1571 - Non-Standard Port
- T1102 - Web Service
## Functionality
### Core Capabilities
- **Initial Access/Infection:** Relies on **T1204.002 (User Execution: Malicious File)**, likely disguised as a CAPTCHA verification or document requiring user interaction.
- **Persistence:** Establishes persistence using **T1053.005 (Scheduled Task/Job)**.
- **System Interaction:** Executes commands using PowerShell (**T1059.001**) and the Windows Command Shell (**T1059.003**).
### Advanced Features
- **Privilege Escalation:** Attempts to elevate privileges by bypassing UAC (**T1548.002**).
- **Artifact Hiding:** Hides its activity windows (**T1564.003 (Hidden Window)**) and renames utilities to evade detection (**T1036.003**).
- **Defense Manipulation:** Specifically targets and disables Windows Event Logging (**T1562.002**).
- **Credential Theft:** Scans for credentials stored in local files (**T1552.001**) and attempts to extract saved credentials from web browsers (**T1555.003**).
- **Proxy Execution:** Leverages living-off-the-land binaries, specifically using `Regsvr32` (**T1218.010**) for execution.
## Indicators of Compromise
- File Hashes: (Not provided in the context snippet)
- File Names: (Not provided in the context snippet)
- Registry Keys: Mentioned under Discovery (**T1012**); specific keys not listed.
- Network Indicators:
- `cryptocurrencytrends[.]click`
- `guardeduppe[.]com`
- `toppyneedus[.]biz`
- Behavioral Indicators:
- Creation of scheduled tasks.
- Execution of PowerShell or cmd.exe commands post-user execution.
- Disabling of Windows Event Logging service/functionality.
## Associated Threat Actors
The summary does not explicitly name a specific threat actor group but details the activities monitored by Trustwave's Advanced Continual Threat Hunt (ACTH) service.
## Detection Methods
- **Signature-based detection:** (Not explicitly detailed, but implied via standard antivirus/EDR coverage for malicious files).
- **Behavioral detection:** Monitoring for the sequence of techniques used, especially UAC bypass, disabling event logging, and use of `Regsvr32` for unintended purposes.
- **YARA rules:** (Not provided in the context snippet)
## Mitigation Strategies
- **Prevention measures:** User training to prevent **T1204.002 (Malicious File)** execution, likely involving scrutiny of unsolicited links or files disguised as CAPTCHAs.
- **Hardening recommendations:** Implementing strong UAC policies, monitoring for system binary proxy execution (`Regsvr32`), and configuring logging systems to monitor for events related to **T1562.002**.
- **Threat Hunting:** Trustwave recommends leveraging their **Advanced Continual Threat Hunt (ACTH)** methodology, available as an option in their Managed Detection and Response (MDR) services, to actively monitor for and respond to this campaign.
## Related Tools/Techniques
The campaign showcases a combination of living-off-the-land binaries (LOLBins) and standard persistence/privilege techniques common in various commodity malware families. No specific related malware family is named other than the descriptive campaign title.