In two September 2024 engagements, Secureworks® incident responders identified users being directed to malicious websites after searching Google for video streaming services. One victim browsed for websites to watch sports, and the other searched for a movie. In both incidents, the victim was redirected to a malicious URL that prompted them to verify they were human by completing the actions shown in Figure 1. Pressing the Windows button + R opens the Run menu, CTRL + V pastes an encoded PowerShell command generated when the victim opens the malicious URL, and Enter runs the command.
Figure 1. Fraudulent human verification steps. (Source: Secureworks)
The PowerShell execution (see Figure 2) delivers malware via a ZIP archive file that is extracted to \AppData\Local\Temp\file\Setup.exe on the victim's system. This executable is run on the host, followed by tools such as a renamed BitTorrent tool (StrCmp.exe) and a Windows utility (Search Indexer). Secureworks Counter Threat Unit™ (CTU) researchers identified additional incidents that deployed infostealers such as Vidar and StealC.
Figure 2. Encoded PowerShell command execution. (Source: Secureworks)
This novel attack vector poses significant risk, as it circumvents browser security controls by opening a command prompt. The victim is then directed to execute unauthorized code directly on their host.
Following this analysis, CTU™ researchers identified instances where controls mitigated similar attacks in the Middle East and Australia, highlighting the global nature of this campaign. Multiple third-party reports describe similar activity. Orange Cyberdefense encountered campaigns in France in May and June 2024. In September, GitHub-themed phishing messages reportedly directed victims to a site that used the fake verification to deploy the LummaC2 infostealer.
In 2023, CTU researchers warned about the growing threat from infostealers. Threat actors regularly use infostealers to obtain credentials for a wide range of online services and corporate networks. The criminals then sell this access in underground marketplaces or use the access to conduct attacks such as phishing hotel customers. CTU analysis of underground activity related to the September 2024 incident response engagements revealed that credentials collected from victims of the fake human verification prompt were published to Russian Market within days of collection.
CTU researchers recommend that organizations implement policies restricting employees from using corporate systems to browse for streaming services or risky content. Organizations should also conduct regular social engineering training that incorporates up-to-date threat intelligence on the latest techniques. Using web proxies to limit access to potentially malicious web pages could mitigate this threat.
To mitigate exposure to this malware, CTU researchers recommend that customers use available controls to review and restrict access using the indicators listed in Table 1. The URLs may contain malicious content, so consider the risks before opening them in a browser.
Indicator | Type | Context |
---|---|---|
https://pcheck9.b-cdn.net/prop9.html | URL | Hosting fraudulent human verification web page |
https://secure-bot15.b-cdn.net/tera32.html | URL | Hosting fraudulent human verification web page |
https://report1.b-cdn.net/tra17 | URL | Delivers malware in campaign using fraudulent human verification |
https://newvideozones.click/veri.html | URL | Redirects to fraudulent human verification web page |
https://yip.su/25yX94 | URL | Delivers malware in campaign using fraudulent human verification |
https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/peltgon.zip | URL | Delivers malware in campaign using fraudulent human verification |
Table 1. Indicators for this threat.
Read more about infostealers and other threats in the 2023 State of the Threat report. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.