Hackers use fake captcha to bypass browser warnings

Hackers use fake captcha
Written by Emma Davis

The researcher noticed that hackers are using a fake captcha to force users to bypass browser warnings and download the banking Trojan Gozi (aka Ursnif).

The problem was discovered by information security researcher MalwareHunterTeam, who shared his findings with Bleeping Computer journalists.

It all started when an expert found a suspicious URL on the Internet, where, when trying to watch an embedded YouTube video about a women’s prison in New Jersey, the file console-play.exe was downloaded, and the site displayed a fake version of reCaptcha on the screen.

Hackers use fake captcha
Since the file is executable, Google Chrome automatically warns that the file may be malicious and asks if the user wants to “Save” it or “Cancel” the download. To bypass this warning, attackers show the victim a fake reCAPTCHA, where the user is asked to press the B, S, Tab, A, F, and Enter keys on the keyboard, as shown in the screenshot below.

Hackers use fake captcha
If nothing happens when you press the “B”, “S”, “A” and “F” keys, then pressing “Tab” will move the focus to the “Save” button, and then pressing the “Enter” key will work as a click on this button, forcing the browser to download and save the file to your computer.

Moreover, the video will eventually start playing automatically, that is, the user will decide that he entered the captcha successfully.

As you can see, this fake captcha prompt is a clever way to trick a user into downloading a malicious file that the browser is warning could be malicious.tells the reseacher.

If the victim launches the mentioned executable file, it will create a folder in% AppData%\Bouncy for .NET Helper and install many files into it. All of these files are fake, with the exception of the executable file BouncyDotNet.exe.

Hackers use fake captcha
BouncyDotNet.exe will read various lines from the Windows registry used to run PowerShell commands. These commands will eventually compile the .NET application using the built-in compiler CSC.exe, which will run the Ursnif banking trojan DLL.

Once launched, the Gozi banker will steal the victim’s credentials, download additional malware to the computer, and execute any commands sent to it by remote attackers.

By the way, we recently reported that One of the developers of Gozi malware was arrested in Colombia, but the spread of malware did not stop it.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.