Fake CAPTCHA Windows Stealthily Install LightPerlGirl Malware
A newly identified malware strain, dubbed LightPerlGirl, has emerged as a significant cybersecurity threat, leveraging deceptive fake CAPTCHA popups to infiltrate systems.
Named after its internal copyright signature “Copyright (c) LightPerlGirl 2025,” which includes Russian-language strings, this malware is propagated through a cunning social engineering tactic known as the ClickFix attack.
New Malware Campaign Exploits User Trust
According to the Report, Cybersecurity firm Todyl recently detected this campaign when anomalous PowerShell scripts were observed on a partner’s client device, revealing a complex, multi-stage infection process that bypasses traditional security measures.
The origin and full scope of this campaign remain unclear, but its sophisticated execution warrants urgent attention from IT professionals and end-users alike.
The attack begins when a user visits a compromised legitimate website, often a WordPress-based platform like a travel site, which serves malicious JavaScript disguised as a security verification from a trusted service such as Cloudflare.
This script triggers a fake CAPTCHA popup, tricking users into executing an obfuscated PowerShell command via the Windows Run dialog.
Once executed, the command contacts a command-and-control (C2) server at “cmbkz8kz1000108k2carjewzf[.]info,” downloading a secondary PowerShell script that operates in memory.
This script, comprising functions like HelpIO, Urex, and ExWpL, is designed for stealth and persistence.
Todyl Uncovers Sophisticated Multi-Stage Attack Chain
HelpIO attempts to gain administrative privileges via a UAC prompt and adds a Windows Defender exclusion for “C:WindowsTemp,” ensuring subsequent payloads evade detection.
Urex establishes persistence by downloading a batch file (“evr.bat”) saved as “LixPay.bat” in the excluded Temp folder and creates a shortcut in the user’s Startup directory for automatic execution on reboot.
Meanwhile, ExWpL employs fileless techniques, decoding a base64-encoded .NET assembly, loading it into memory using System.Reflection.Assembly.Load(), and executing it without writing to disk a method that significantly hampers traditional antivirus detection.
Post-exploitation, the malware maintains a persistent C2 connection through the batch file, allowing attackers to execute additional commands directly in memory.
Todyl’s investigation, led by analysts Earnest V and David L, highlighted the absence of Endpoint Security on the affected device as a critical vulnerability, as it could have prevented the initial PowerShell script execution.
However, their MXDR team successfully isolated the host using Todyl SIEM and PowerShell Script Block logs.
The attack’s reliance on user interaction underscores the importance of awareness; Todyl strongly advises against trusting any CAPTCHA prompting command execution.
Deploying comprehensive Endpoint Security and utilizing provided Indicators of Compromise (IOCs) for threat hunting are critical steps to mitigate this risk.
Indicators of Compromise (IOCs)
| Indicator Type | Value |
|---|---|
| File Path (Persistence) | $env:APPDATAMicrosoftWindowsStart MenuProgramsStartupLixPay.url |
| File Path (Payload) | C:WindowsTempLixPay.bat |
| Domain (C2 Server) | cmbkz8kz1000108k2carjewzf.info |
| IP Range (Suspicious) | 146.70.115.0/24, 91.92.46.0/24, 94.74.164.0/24 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
