Heads up Microsoft users! A new malware campaign is in the wild that exploits Microsoft Excel. It also requires the victim to solve a CAPTCHA for the malware to execute.
Microsoft Excel Malware Campaign
Microsoft Security Intelligence team has found an Excel malware campaign that executes uniquely. This campaign even requires the target user to solve a CAPTCHA, which will then execute the malware.
Sharing the details in a series of tweets, MSI Team explained that the CHIMBORAZO is actively executing a phishing campaign. This is the same group that ran the Dudear campaigns which dropped the info-stealing Trojan GraceWire.
The attack begins via phishing emails containing the phishing link as part of the text or within an HTML attachment embedded in the malicious iframe tag.
Till this point, it looks like any other phishing attack. However, the next step is what makes it unique.
Clicking the malicious link redirects the victim to a web page impersonating the Cloudflare DDoS protection page. It requires the user to solve Google reCAPTCHA.
Solving the CAPTCHA then downloads a malicious Excel file in which, enabling macros would then download the final payload, the info-stealing GraceWire Trojan. This is what makes this malware campaign similar to Dudear.
Malware Capable To Evade Detection
According to the Microsoft Security Intelligence team, the additional step of requiring the victim to solve CAPTCHA seems more of an attempt to evade security checks. By including human interaction, the attack fends off any automated security measures that would otherwise detect the malicious file.
Besides, staying under the radar would also help the threat actors to continue with this campaign for long.
Though, the MSI team has confirmed in their tweet that Microsoft programs can detect the threat.
Nonetheless, users should still remain very careful while downloading files from emails. Likewise, they should remain vigilant enough while enabling editing for MS Office files, that otherwise remain protected by MS Office by default.
Whereas, regarding the fake Cloudflare phishing page, the key to detecting any such fake page is the CAPTCHA. As we reported earlier, Cloudflare no more uses reCAPTCHA, rather they use hCAPTCHA now.