Cyber: Clickfix Attacks Expand Using Fake Captchas, Microsoft Scripts, And...

Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera.

"Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths," Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week.

In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity.

The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks.

The supplied command, rather than invoking PowerShell directly, abuses "SyncAppvPublishingServer.vbs," a signed Visual Basic Script associated with App-V to retrieve and execute an in-memory loader from an external server using "wscript.exe."

It's worth noting that the misuse of "SyncAppvPublishingServer.vbs" is not new. In 2022, two different threat actors from China and North Korea, tracked as DarkHotel and BlueNoroff, were observed leveraging the LOLBin exploit to stealthily execute a PowerShell script. But this is the first time it has been observed in ClickFix attacks.

"Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by 'living off the land,'" MITRE notes in its ATT&CK framework. "Proxying execution may function as a trusted/signed alternative to directly invoking 'powershell.exe.'"

The use of an App-V script is also significant as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with modern Windows Server versions. It's not available for Windows Home or Pro installations.

In Windows operating systems where App-V is either absent or not enabled, the execution of the command fails outright. This also indicates that enterprise managed systems are likely the primary targets of the campaign.

The obfuscated loader runs checks to ensure that it's not run within sandboxed environments, and then proceeds to fetch configuration data from a public Google Calendar (ICS) file, essenti

Source: The Hacker News