Cereal attacks: CAPTCHAGEDDON
- eduwoldhuis
- Sep 5
- 2 min read
Introduction
Many major threat actors have been using fake CAPTCHA pages to trick users into running malicious commands directly on their systems, while pretending to be required to prove their identity.
This type of attack, called ClickFix, is very versatile, because the payload can be changed on-the-fly, making it a massive global threat; dubbed CAPTCHAgeddon by Guardio.
After getting the foothold, a complex chain of commands get executed, resulting in access-as-a-service for threat actors.
Practical
UNC5518 is one of the major threat actors tracked by google, so their modus operandi is generally known.
First, they will use SEO poisoning or advertisements to get their malicious website to the top of the search results.
Secondly, the user will be tricked into running a powershell payload, executing a dropper
payload from a remote server, which will grant access to the system to UNC5518.
From this point, UNC5774 will take hold using the CORNFLAKE V3 malware.
This is an updated version of the CORNFLAKE malware, with some notable changes from V2. The most important change is that this version adds persistence through registry keys, and functions as a backdoor instead of only as a downloader. It communicates through XOR encoded HTTP to the C2 server, and supports 5 types of payloads.
All in all, it's a sophisticated setup, but it can absolutely be detected.
Defending
UNC5518 - ClickFix
Because this is a social engineering attack, it's nigh impossible to prevent completely, but there are a few steps to minimize the chances of an incident.
The best approach for this specific hack is to disable the Windows Run dialogue wherever possible.
The most important part is the human factor; if the users learn to recognize this is a virus and not a real captcha, they won't run it. Blocking suspicious websites will also massively reduce risk, because these prompts usually show up on malicious or hacked websites. Lastly, it's always a good idea to implement the principle of least privilege, when a user gets compromised, impact should be minimized, preventing a major breach.
UNC5774 - Cornflake
This attack is not very hard to defend when we know its behaviour.
First, Node.js is downloaded, written to Downloaded.zip in the user's TEMP directory. Then, it will unzip and run node.exe with a base64 encoded CornflakeV3 payload.
UNC5774 will create persistence with a registry run key called ChromeUpdater:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunIt will also do active directory reconnaisance, running these commands among others:
whoami /all
nltest /domain_trusts
nltest /dclist
setspn -T <UserDomain> -Q */*These commands will check user permissions, list domain trusts, list domain controllers, and show SPNs starting with CN=Users.
After this, it will attempt kerberoasting.
With all of these behaviours, it's easy to write a few rules in Yara or KQL to backtrace and stop this attack in its tracks.
Conclusion
All in all, while this attack can be mitigated without much trouble, these types of hackers are showing up more often the past years, and social engineering attacks are becoming more sophisticated and widespread.
