I don’t know anyone who loves CAPTCHAs. Those fuzzy and wavy letters that we have to decipher whenever we go to perform a task on the web suspected of being automated are there to avoid bots. However, there are now even bots that ask you to fill CAPTCHAS. The weapon used to reduce malware, used by the malware itself in its favor.
The Microsoft security department indicates that they recently discovered a new attacker with particularly peculiar malware. Why? It turns out that these were web pages where users were required to complete a CAPTCHA. With this the malware went more unnoticed since it is assumed that if a CAPTCHA is completed, the malware detection systems will think that it is a human and not a malicious program. Not in this case.
Microsoft has been tracking this malware under the name Chimborazo since January. They explain that the user is redirected to some malicious page of the attacker through some file received by mail. Once on the website, it asks the user to complete a CAPTCHA before downloading the malware file. With this they avoid going through the security filter as it is not 100% automated.
Apparently the file that is usually downloaded is an Excel document. They comment that once the Excel document is opened, it contains macros inside that install the GraveWire Trojan, used to obtain private information from infected devices.
In a tweet shared by Microsoft Security Intelligence, you can see how this CAPTCHA jumps, allowing malware not to be under the radar. In it we see Google’s reCAPTCHA accompanied by a supposed Cloudflare DDoS protection. These two services are actually separate and have nothing to do with each other, so either they are a totally invented system or the attackers have used them separately and put them together on the web.
Matter of ingenuity
In either case the result is the same: the victim naively fills in the CAPTCHA and the Excel file is downloaded with malware. A most ingenious technique to go unnoticed as an attacker. Of course, apparently it is not the first time it is used, in December last year a similar phishing system appeared in which it was asked to fill in a false Google CAPTCHA to pass the automation filters.
In the world of security it’s like the cat and mouse game, you always have to be changing techniques and methods to avoid getting caught (no matter how hard companies try with clever methods too). Malicious attack systems need to constantly reinvent themselves and find new ideas that have not yet been discovered by companies, antivirus or security experts. Having the victim complete CAPTCHAs is an example of this, but in a matter of weeks or months the attackers may have already abandoned it in favor of something even more ingenious.