Hackers Exploit CAPTCHA Scams to Evade Detection
Malware campaigns are becoming more deceptive. Hackers now use fake CAPTCHA pages to trick users into downloading malicious files. A recent report uncovered OBSCURE#BAT, a malware that delivers the r77 rootkit. This rootkit allows attackers to remain undetected while controlling infected systems.
How the Attack Works
The attack begins with an obfuscated Windows batch script. This script launches PowerShell commands, triggering a multi-stage infection. Researchers identified two main infection methods. First, hackers use fake Cloudflare CAPTCHA pages to lure victims. Second, they disguise malware as legitimate tools, such as Tor Browser or VoIP applications. In both cases, users unknowingly install the malicious files.
Once executed, the malware drops additional scripts. It also modifies Windows Registry settings and creates scheduled tasks to maintain persistence. Furthermore, it stores obfuscated scripts within the registry, making them harder to detect. Additionally, it registers a fake driver, ACPIx86.sys, embedding itself deep into the system.
Advanced Evasion Techniques
The attack chain includes a .NET payload with several evasion strategies. For example, it uses control-flow obfuscation, string encryption, and function names mixed with Arabic, Chinese, and special characters. Another payload, delivered via PowerShell, bypasses antivirus detection using AMSI patching.
The final stage of the attack deploys the r77 rootkit. This tool hides files, processes, and registry keys, preventing security tools from detecting them. Moreover, the malware monitors clipboard activity and command history. It then stores this data in hidden files for possible exfiltration. By injecting itself into system processes like winlogon.exe, the malware ensures it remains active even after reboots.
How to Protect Against These Attacks
To stay safe, users must be cautious when downloading software. Always verify sources before installing any program. Additionally, avoid interacting with CAPTCHA pages from unknown websites. Keeping security software updated is also crucial, as it helps detect and remove threats. Organizations should train employees on social engineering tactics to reduce the risk of malware infections. Finally, using endpoint protection tools can provide an extra layer of security.
Sleep well, we got you covered.
