Cybersecurity experts revealed a clever new campaign. Fake CAPTCHAs trick users into running malicious commands. These attacks deliver an information stealer called Amatera using trusted Microsoft tools.
The Fake CAPTCHA Trick Begins
Attackers show fake verification prompts on websites. They urge users to copy a command and paste it into the Windows Run box. For example, the prompt claims it fixes a browser issue. Therefore, many people follow the instructions.
This method builds on ClickFix techniques. However, attackers add a smart twist here. They avoid direct PowerShell calls. Instead, they use a signed Microsoft script for stealth.
Abusing a Trusted Microsoft Script
The command targets a legitimate Visual Basic script. This script belongs to Microsoft’s virtualization feature. It normally helps manage apps in enterprise setups. Attackers abuse it to launch hidden PowerShell code.
Researchers note this trick appeared before in other attacks. For instance, certain state-sponsored groups used it in 2022. Now, attackers apply it to ClickFix-style campaigns. Consequently, defenses struggle to spot the activity.
Targeting Enterprise Systems Only
The script works only on specific Windows versions. It requires Enterprise or Education editions. Home and Pro editions lack the feature. Therefore, the campaign focuses on business and managed networks.
Attackers know this limitation. However, they accept it for better stealth. Enterprise systems often hold valuable data. This makes them prime targets for stealers.
Loading the Malware Step by Step
Once executed, an obfuscated loader runs checks. It avoids sandbox environments used by security tools. Next, it pulls settings from a public calendar file on Google. This method lets attackers change plans quickly.
For example, they rotate servers without new infections. Then, the loader fetches more stages in memory. It downloads a PNG image from trusted image hosts. This image hides an encrypted payload.
Final Stage Delivers the Stealer
The script decrypts and decompresses the payload in memory. It runs the code without saving files to disk. Finally, it launches a shellcode loader. This loader installs Amatera Stealer.
Amatera grabs sensitive information from the infected system. It targets credentials, browser data, and more. Therefore, victims risk account takeovers and data theft.
Each step reinforces the others. User interaction starts the process. Checks block automated analysis. Trusted services hide the real intent. Consequently, the attack evades many defenses.
Researchers praise the careful design. Every part fits together smoothly. For instance, clipboard validation adds extra control. This makes casual detection very hard.
Evolution of ClickFix Techniques
ClickFix attacks surged in popularity last year. They now drive many initial infections. Variants like JackFix and CrashFix deceive users differently. Some promise free verification badges on social media.
New tools like ErrTraffic corrupt websites on purpose. They show fake glitches and push “fixes.” Additionally, campaigns use blockchain and CDNs for delivery. These methods inherit trust from legitimate platforms.
Prevention Strategies
Organizations can stop these attacks with strong layered defenses. First, restrict PowerShell execution in non-admin contexts. Block unusual script launches from trusted components. Moreover, deploy continuous monitoring to detect suspicious clipboard commands and external config pulls early.
Regular user training helps too. Teach staff never to paste and run commands from websites. Use endpoint tools that flag fake verification prompts. These steps cut the success rate of fake CAPTCHA and ClickFix campaigns significantly.
Sleep well, we got you covered.
