Heads up Microsoft users! A new malware campaign is in the wild that exploits Microsoft Excel. It also requires the victim to solve a CAPTCHA for the malware to execute.
Microsoft Excel Malware Campaign
Microsoft Security Intelligence team has found an Excel malware campaign that executes uniquely. This campaign even requires the target user to solve a CAPTCHA, which will then execute the malware.
Sharing the details in a series of tweets, MSI Team explained that the CHIMBORAZO is actively executing a phishing campaign. This is the same group that ran the Dudear campaigns which dropped the info-stealing Trojan GraceWire.
The attack begins via phishing emails containing the phishing link as part of the text or within an HTML attachment embedded in the malicious iframe tag.
Till this point, it looks like any other phishing attack. However, the next step is what makes it unique.
Clicking the malicious link redirects the victim to a web page impersonating the Cloudflare DDoS protection page. It requires the user to solve Google reCAPTCHA.
CHIMBORAZO, the group behind Dudear campaigns that deploy the info-stealing Trojan GraceWire, evolved their methods once again in constant pursuit of detection evasion. The group is now using websites with CAPTCHA to avoid automated analysis. pic.twitter.com/Kz3cdwYDd7
— Microsoft Security Intelligence (@MsftSecIntel) June 17, 2020
Solving the CAPTCHA then downloads a malicious Excel file in which, enabling macros would then download the final payload, the info-stealing GraceWire Trojan. This is what makes this malware campaign similar to Dudear.
We started observing these campaigns in early June, but we saw them surge this week. The emails contain either a link to a redirector site (typically a compromised website) or an HTML attachment with a malicious URL in iframe. Both methods lead to the website with CAPTCHA. pic.twitter.com/yRh5fvdJ5D
— Microsoft Security Intelligence (@MsftSecIntel) June 17, 2020
Malware Capable To Evade Detection
According to the Microsoft Security Intelligence team, the additional step of requiring the victim to solve CAPTCHA seems more of an attempt to evade security checks. By including human interaction, the attack fends off any automated security measures that would otherwise detect the malicious file.
Besides, staying under the radar would also help the threat actors to continue with this campaign for long.
Though, the MSI team has confirmed in their tweet that Microsoft programs can detect the threat.
Microsoft researchers continue to monitor CHIMBORAZO, its activities, and evolving methods. Microsoft Threat Protection provides coordinated defense against these evasive campaigns: Office 365 ATP detects malicious URLs in emails, Microsoft Defender ATP blocks files on endpoints.
— Microsoft Security Intelligence (@MsftSecIntel) June 17, 2020
Nonetheless, users should still remain very careful while downloading files from emails. Likewise, they should remain vigilant enough while enabling editing for MS Office files, that otherwise remain protected by MS Office by default.
Whereas, regarding the fake Cloudflare phishing page, the key to detecting any such fake page is the CAPTCHA. As we reported earlier, Cloudflare no more uses reCAPTCHA, rather they use hCAPTCHA now.
