Threat Intelligence

Russian hackers use fake CAPTCHA to infect Ukrainian targets

Binary code on flag of Russia. Program source code or Hacker concept on Russian flag. Russia digital technology security, hacking or programming

Russian military intelligence hackers have begun using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into infecting their own computers, researchers have found. Ukraine's computer emergency response team (CERT-UA) observed a shift this spring and summer in how the Kremlin-backed hacking group Sandworm gains initial access to the systems of Ukrainian targets, with further coverage provided by The Record.

The Sandworm group, linked to Russia's GRU, is employing the social engineering technique called ClickFix. Victims visiting compromised websites are presented with a fake CAPTCHA security check and instructed to copy and paste a PowerShell command into their Windows computers. This command downloads malware, such as GhettoVibe, which allows hackers to maintain access and deploy further malicious tools. Reconnaissance tools like ScoutCurl and malware loaders like FluidLeech and LoadLoop have also been observed. CERT-UA noted this technique on over a dozen compromised websites in June and July.

Sandworm continues to use other methods, including targeting Android devices with malware disguised as security apps distributed via messaging apps, and distributing backdoored Windows and Office installers through torrent sites. In one instance, this led to a destructive cyberattack on a Ukrainian government network. The group also targets victims through Signal, building trust before asking them to run malicious files, sometimes offering payment.

Source: The Record

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds