We all are familiar with CAPTCHAs - the annoying squiggly letters or muffled sounds - used by websites to filter out bots. However, these tests are now likely to be used to target people in sophisticated cyberattacks.
What’s going on?
- An attack was recently discovered by Microsoft that distributed malicious Excel documents on a site that required users to complete a CAPTCHA. The Excel file contained macros that were designed to install the GraceWire trojan.
- The campaign, named Dudear (also known as (TA505/SectorJ04/Evil Corp), has been associated with the Chimborazo group.
- In January this year, the group was found to leverage the IUP traceback service to track the IP addresses of machines downloading the Excel file.
How does this work?
- When the HTML attachment containing an iframe tag is clicked, the victims are directed to a site where they download the malicious file, but only after completion of the CAPTCHA.
- The successful completion of CAPTCHA indicates that analysis will only be conducted when a human downloads the sample.
- With no automation, the malicious file can stay under the radar easily.
More about the threat actors
TA505 is a Russian threat actor, active since 2014. Some of its most notable attacks include:
- TA505 is also the threat actor behind the Locky ransomware and has been using COVID-19 lures to deliver downloaders to the victims’ systems.
- Last year, the group was spotted using legitimately signed certificates to disguise malware that can infiltrate banking networks.
- Dudear has conducted operations in North and South America, Africa, and Asia to target banking customers.
- Apart from GraceWire, the group also uses FlawedAmmy RAT.
The bottom line is that attackers stay ahead of the defenders by regularly upgrading their TTPs. This results in the creation of a circle of back and forth processes, requiring constant attention. It is expected that more threat actors will change their strategies in the near future to further propagate their campaigns.