HP warns of rising threats from fake CAPTCHA malware

Researchers at HP have identified a concerning trend where fake CAPTCHA challenges are being used by attackers to infect users with malware.

The report from HP indicates that, as individuals become more accustomed to complex verification processes online, attackers are exploiting this increased "click tolerance" to install Remote Access Trojans (RATs). Among the threats identified in the report are the use of Python scripts for SVG smuggling, as well as malware that can potentially grant attackers control over victims' webcams and microphones.

HP's latest Threat Insights Report, produced by HP Wolf Security researchers, highlights campaigns using fake CAPTCHA tests to deceive users into inadvertently installing malware on their systems. This exploitation of increased click tolerance is a growing concern as users continue to accept additional steps as a normal part of online authentication processes.

The report is based on an extensive analysis of real-world cyberattacks, gathering data from millions of endpoints secured by HP Wolf Security. It sheds light on various campaigns where attackers direct users to malicious CAPTCHA challenges, which then prompt them to execute harmful PowerShell commands, ultimately leading to the installation of the Lumma Stealer RAT.

Another campaign highlighted in the report involves the use of XenoRAT, an open-source RAT with capabilities for capturing microphone and webcam activity. Attackers leverage social engineering to persuade users to enable macros in documents, allowing them to control the devices, steal data, and log keystrokes. This shows that Word and Excel documents continue to pose a risk for malware deployment.

HP also detailed a campaign using SVG smuggling, wherein malicious JavaScript is embedded within Scalable Vector Graphic images. These images, when opened in web browsers, execute embedded code to deliver multiple payloads, including RATs and information stealers. Obfuscated Python scripts are also utilised in this chain to install malware, capitalising on Python's growing popularity, further driven by increasing interest in artificial intelligence and data science.

Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab, stated: "A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations. Even simple but effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods like direct system calls, attackers make it tougher for security tools to catch malicious activity, giving them more time to operate undetected – and compromise victims endpoints."

The report also highlights HP Wolf Security's success in employing its security technology to isolate threats that evade detection tools, allowing malware to be studied safely within secure environments. So far, HP Wolf Security clients have engaged with over 65 billion files and web pages without breaches reported.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, remarked: "Multi-step authentication is now the norm, which is increasing our 'click tolerance.' The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training. Organizations are in an arms race with attackers—one that AI will only accelerate. To combat increasingly unpredictable threats, organizations should focus on shrinking their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don't need to predict the next attack; they're already protected."

This data was compiled from HP Wolf Security clients from October to December 2024, providing insights into evolving cyber threats and strategies for resilience against them.