Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday June 22 2020, @05:41PM   Printer-friendly
from the ☑-I'm-not-a-robot dept.

To evade detection, hackers are requiring targets to complete CAPTCHAs:

CAPTCHAs, those puzzles with muffled sounds or blurred or squiggly letters that websites use to filter out bots (often unsuccessfully), have been annoying end users for more than a decade. Now, the challenge-and-response tests are likely to vex targets in malware attacks.

Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys. The Excel file contains macros that, when enabled, install GraceWire, a trojan that steals sensitive information such as passwords. The attacks are the work of a group Microsoft calls Chimborazo, which company researchers have been tracking since at least January.

Previously, Microsoft observed Chimborazo distributing the Excel file in attachments included in phishing messages and later spreading through embedded Web links. In recent weeks, the group has begun sending phishing emails that change things up again. In some cases, the phishes include links that lead to redirector sites (usually legitimate sites that have been compromised). In other cases, the emails have an HTML attachment that contains a malicious iframe tag.

Either way, clicking on the link or attachment leads to a site where targets download the malicious file, but only after completing the CAPTCHA (which is short for completely automated public Turing test to tell computers and humans apart). The purpose: to thwart automated analysis defenders use to detect and block attacks and get attack campaigns shut down. Typically the analysis is performed by what are essentially bots that download malware samples and run and analyze them in virtual machines.

Requiring the successful completion of a CAPTCHA means analysis will only happen when a live human being downloads the sample. Without the automation, the chances of the malicious file flying under the radar are much better. Microsoft has dubbed Chimborazo’s ongoing attack campaign Dudear.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Monday June 22 2020, @09:57PM (4 children)

    by maxwell demon (1608) on Monday June 22 2020, @09:57PM (#1011259) Journal

    Anyone remembers shell archives? Those were archives in the form of shell scripts that would write the archived files when executed. Well, I'd say they deserved to fall out of use.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Thexalon on Tuesday June 23 2020, @12:41AM (3 children)

    by Thexalon (636) on Tuesday June 23 2020, @12:41AM (#1011351)

    I believe the tools for SHAR are still around, for anyone who actually wants them.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 0) by Anonymous Coward on Tuesday June 23 2020, @01:17AM (2 children)

      by Anonymous Coward on Tuesday June 23 2020, @01:17AM (#1011364)

      IIRC, a variety of software still uses shell archives (or at least scripts) to install itself.

      The Oracle JDK used to download as a shell archive not so long ago. And few times in recent memory I've seen installation instructions like 'wget $INSTALLMYCODEURL | /bin/bash'.

      I wonder how many people would just copypasta something like that?

      I downloaded the shell scripts in question and they weren't shell archives, they just downloaded the code instead of storing it in the shell script.

      Same idea.

      • (Score: 4, Informative) by Thexalon on Tuesday June 23 2020, @01:28AM (1 child)

        by Thexalon (636) on Tuesday June 23 2020, @01:28AM (#1011367)

        Following those instructions is a security risk, so yeah, don't do it. Precisely one of the points I was getting at with the post that started this thread.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
        • (Score: 0) by Anonymous Coward on Tuesday June 23 2020, @06:53AM

          by Anonymous Coward on Tuesday June 23 2020, @06:53AM (#1011455)

          Following those instructions is a security risk, so yeah, don't do it. Precisely one of the points I was getting at with the post that started this thread.

          Of course it's a bad idea. Where did you get the idea I would do (or recommend) something like that?

          Perhaps I should have just said: 'While shell archives and/or install scripts as downloads deserved to have fallen out of use [soylentnews.org], sadly they have not.'

          Instead of providing recent examples. My bad.