New Campaign Uses Clever 'Captcha' Trick to Make Victims Download Trojan

New Campaign Uses Clever ‘Captcha’ Trick to Make Victims Download Trojan

Researchers warn about a new malware campaign that uses a captcha to trick users into downloading the Gozi banking trojan.

MalwareHunterTeam discovered that an attacker could easily start a download of a malicious file by luring a victim with an embedded video. The YouTube video deals with a controversial topic of violence in a New Jersey women’s prison that many people will find interesting.

When clicking the play button on the video, the browser will offer to download a file named console-play.exe. This file is an executable that contains a virus. The site then displays a fake reCaptcha image, while the site will display a fake reCaptcha prompt.

Since it is a .exe file, Google Chrome automatically warns that the file may be dangerous and asks whether the user wants to ‘Keep’ or ‘Discard’ it.

The threat actors are trying to bypass the warning by displaying a fake reCaptcha image. They then ask the user to press the following buttons on their keyboard:

Clever 'Captcha' Trick to Make Victims Download Trojan

This fake captcha prompt works by tricking a user into unwittingly downloading a potentially harmful file. While pressing the Tab key, it will make the browser focus on the ‘Keep’ button, and then clicking the ‘Enter’ key will start the download.

The video will automatically play after a certain amount of time, so that not to make raise suspicions in the victim.

Some users will run the executable. And when they do, it will create a folder under %AppData%\Bouncy for .NET Helper. Except for the malicious file BouncyDotNet.exe, all other files are only decoys.

The BouncyDotNet.exe program will read the Windows Registry strings and launch PowerShell commands. It will then compile a .NET application using the built-in CSC.exe compiler that launches a DLL for the Ursnif banking trojan.

Gozi is a type of malware that enables attackers to steal account credentials and execute remote commands on a compromised computer.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.