Delivering Trojans Via ClickFix Captcha

April 1, 2025, 5:28 p.m.

Description

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.

External References

https://darkatlas.io/blog/delivering-trojans-via-clickfix-captcha
https://otx.alienvault.com/pulse/67ebfca624fc8265928a8775
Tags
obfuscation
social engineering
powershell
qbot
banking trojan
evasion techniques
2025-04-01
clickfix captcha
php dropper
quakbot

Date

  • Created: April 1, 2025, 2:48 p.m.
  • Published: April 1, 2025, 2:48 p.m.
  • Modified: April 1, 2025, 5:28 p.m.

Attack Patterns

  • Quakbot
  • QuackBot
  • Pinkslipbot
  • QakBot - S0650
  • QBot
  • Quakbot
  • T1553.002
  • T1059.001
  • T1566.002
  • T1071.001
  • T1105
  • T1102
  • T1036
  • T1204
  • T1140
  • T1027