A malware marketing campaign makes use of a intelligent captcha immediate to trick customers into bypassing browsers warnings to obtain the Ursnif (aka Gozi) banking trojan.
Yesterday, safety researcher MalwareHunterTeam shared a suspicious URL with BleepingComputer that downloads a file when making an attempt to look at an embedded YouTube video a few New Jersey ladies’s jail.
While you click on on the play button, the browser will obtain a file named console-play.exe [VirusTotal], and the positioning will show a faux reCaptcha picture on the display screen.
As this file is an executable, Google Chrome routinely warns that the file could also be malicious and prompts whether or not you want to ‘Hold’ or ‘Discard’ the file.
To bypass this warning, the risk actors are displaying a faux reCaptcha picture that prompts the person to press the B, S, Tab, A, F, and the Enter buttons on their keyboard, as proven under.
Whereas urgent the B, S, A, and F keys don’t do something, urgent the Tab key will make the ‘Hold’ button change into centered, after which urgent the ‘Enter’ key will act as a click on on the button, inflicting the browser to obtain and save the file to the pc.
As you possibly can see, this faux captcha immediate is a intelligent option to trick a person into downloading a malicious file that the browser is warning may very well be malicious.
After a sure period of time, the video will routinely play, doubtlessly making customers suppose the profitable ‘captcha’ allowed it.
Web site distributes Ursnif information-stealing trojan
If a person runs the executable, it is going to create a folder beneath %AppDatapercentBouncy for .NET Helper and set up quite a few information. All of those information are a decoy, aside from the BouncyDotNet.exe executable, which is launched.
Whereas operating, BouncyDotNet.exe will learn varied strings from the Home windows Registry used to launch PowerShell instructions.
These PowerShell instructions will compile a .NET utility utilizing the built-in CSC.exe compiler that launches a DLL for the Ursnif banking trojan.
As soon as operating, Ursnif will steal account credentials, obtain additional malware to the pc, and execute instructions issued remotely by the risk actors.
If you’re contaminated with Ursnif, it is best to instantly change the passwords to your on-line accounts.