A sophisticated social engineering technique has recently emerged in the cybersecurity landscape, rapidly gaining traction among threat actors seeking to distribute trojans, ransomware, and particularly Quakbot malware.<\/p>\n
This technique, known as ClickFix Captcha, exploits users\u2019 trust in familiar web elements to bypass traditional security measures and deliver malicious payloads to Windows systems.<\/p>\n
The attack begins when users visit compromised or malicious websites that redirect them to a seemingly legitimate captcha verification page at domains such as cfcaptcha[.]com.<\/p>\n
Unlike traditional captchas that require users to identify objects or type text, ClickFix captchas instruct users to perform specific actions on their computers, such as pressing Windows key + R, claiming this will verify they aren\u2019t bots.<\/p>\n
Dark Atlas researchers detected<\/a> that when users follow these instructions, they unwittingly execute malicious commands that have been preloaded into their clipboard.<\/p>\n The researchers noted the commands typically invoke PowerShell<\/a> to download and execute additional malicious code while displaying deceptive \u201cVerification complete\u201d messages to maintain the illusion of legitimacy.<\/p>\n The infection chain is particularly insidious because it leverages common Windows functionality rather than exploiting technical vulnerabilities.<\/p>\n When users press Windows key + R after interacting with the captcha, they open the Run dialog, and the malicious command<\/a> in their clipboard is automatically inserted.<\/p>\n One keystroke later, the system is compromised.<\/p>\n The technical sophistication of this attack lies in its multi-stage execution process.<\/p>\n Upon execution, the clipboard-injected command typically contains obfuscated PowerShell code that downloads a remote file.<\/p>\n This initial payload displays a fake verification<\/a> message while silently downloading additional components from attacker-controlled domains like duolingos[.]com.<\/p>\n Analysis of the malicious code revealed XOR encryption techniques designed to evade detection. The decrypted payload contains instructions to download and extract ZIP files to the user\u2019s AppData directory.<\/p>\n One captured example showed commands to retrieve \u201cflswunwa.zip\u201d and extract its contents, which would then establish persistence and potentially exfiltrate sensitive data.<\/p>\n What makes ClickFix particularly dangerous is the attackers\u2019 implementation of rewrite rules and PHP-based proxies on compromised servers, allowing them to generate unlimited unique URLs for malware distribution while concealing the actual origin of the malicious content.<\/p>\n The post ClickFix Captcha \u2013 A Creative Technique That Allow Attackers Deliver Malware and Ransomware on Windows<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdvanced Infection Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCjAZluj2UDIQKcVLRZ39P7NhKroC87zNJy-sTre7kf42uIuGYL01biWQfTz4nnrfwB6sucZEyJUf0vJnzg4ll9sr1IW7k1ZDhP4Mrvq9CmoWjsBsUJutM-kUlF_xDenKVCO5YkIUJfe58dVcaQRxEt48e3YkhjDhdVSVLKumPmz0snczNaobN_WCodYw\/s16000\/PowerShell%2520command%2520that%2520executes%2520the%2520retrieved%2520string%2520as%2520a%2520PowerShell%2520command%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTjlY1GxbXAqeCNM2ROqUmKbv6KMlvZrffqfSrZw5RokIoGm2IgAovSPuZT8LnfaFvaELYCvDjIBUxl5B081ZncG21F49Dg7r_z80pYeiNkEA-Bho0hXzb3eQvcsr_zKl2FYdo0Khjc94_r6kQTufeUiP5_lNLSFF5eC7MXyIF2CfdIivIT2mI8FXbpCw\/s16000\/Attacker-controlled%2520domain%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")