CAPTCHA-ring Targets

What’s going on?

• An attack was recently discovered by Microsoft that distributed malicious Excel documents on a site that required users to complete a CAPTCHA. The Excel file contained macros that were designed to install the GraceWire trojan.
• The campaign, named Dudear (also known as (TA505/SectorJ04/Evil Corp), has been associated with the Chimborazo group.
• In January this year, the group was found to leverage the IUP traceback service to track the IP addresses of machines downloading the Excel file.

How does this work?

• When the HTML attachment containing an iframe tag is clicked, the victims are directed to a site where they download the malicious file, but only after completion of the CAPTCHA.
• The successful completion of CAPTCHA indicates that analysis will only be conducted when a human downloads the sample.
• With no automation, the malicious file can stay under the radar easily. 

More about the threat actors

• TA505 is also the threat actor behind the Locky ransomware and has been using COVID-19 lures to deliver downloaders to the victims’ systems.
• Last year, the group was spotted using legitimately signed certificates to disguise malware that can infiltrate banking networks.
• Dudear has conducted operations in North and South America, Africa, and Asia to target banking customers.
• Apart from GraceWire, the group also uses FlawedAmmy RAT.