Cyber Alert
We are familiar with CAPTCHAs - The
annoying squiggly letters or muffled sounds that used by websites to Stop
robots or bots. However, these CAPTCHAs are now likely to be used to target people in sophisticated cyberattacks.
What’s going on?
- An attack was recently found by Microsoft that distributed malicious Excel documents on a site that required users to complete a CAPTCHAs. The Excel file contains macros that were designed to install the GraceWire trojan.
- The campaign, named Dudear (also known as TA505/SectorJ04/Evil Corp), has been associated with the Chimborazo group.
- In January this year, the group was found to leverage the IUP traceback service to track the IP addresses of machines downloading the Excel file.
How does this work?
- When the HTML attachment containing an iframe tag is clicked, the victims are redirected to a site where they download the malicious file, but only after completion of the CAPTCHAs.
- The successful completion of CAPTCHAs indicates that analysis will only be conducted when a human downloads the sample.
- With no automation, the malicious file can stay under the radar easily.
More about the Threat actors
TA505 is a Russian threat actor, active since 2014. Some of its most notable attacks include:
- TA505 is also the threat actor behind the Locky ransomware and has been using COVID-19 lures to deliver downloaders to the victims’ systems.
- Last year, the group was spotted using legitimately signed certificates to disguise malware that can infiltrate banking networks.
- Dudear has conducted operations in North and South America, Africa, and Asia to target banking customers.
- Apart from GraceWire, the group also uses FlawedAmmy RAT.
Attackers stay ahead of the defenders by regularly upgrading their TTPs.
This results in the creation of a circle of back and forth processes, requiring
constant attention. It is expected that more threat actors will change their
strategies in the near future to further propagate their campaigns.
Our Thought:
Hackers are not Your Family Member So, be Careful From Hackers.
- Gyanesh Maurya