Cyber Security News

Beware Of Fake Verify You Are A Human Request That Delivers Malware

Researchers observed two distinct instances where users were inadvertently led to malicious websites after conducting Google searches for video streaming services.

These victims were redirected to malicious URLs that employed a deceptive tactic while attempting to access sports or movie content.

The victims were presented with a prompt requesting human verification, which, upon completion, executed a PowerShell command secretly generated when the victim initially accessed the malicious URL and designed to compromise the user’s system.

Fraudulent human verification steps.

The PowerShell attack involves delivering a malicious ZIP archive, which is extracted to a temporary directory on the victim’s system.

The extracted executable, Setup.exe, is then executed, leading to the deployment of malicious tools like a renamed BitTorrent client (StrCmp.exe) and a compromised Windows utility (Search Indexer), which are used to facilitate further malicious activities, such as the installation of infostealers like Vidar and StealC.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

An attack vector exploits a security loophole in web browsers to open command prompts, allowing attackers to execute unauthorized code directly on victims’ devices, observed in multiple regions, including the Middle East, Australia, France, and the United States.

Cyber security experts have identified instances where existing controls successfully mitigated similar attacks.

Recent examples include phishing campaigns that use fake verification processes to deploy malware like LummaC2, which steals sensitive information from victims’ systems.

Encoded PowerShell command execution.

In 2023, it highlighted the escalating threat of infostealers, which threat actors employ to acquire credentials for various online services and corporate networks, whose credentials are subsequently sold on underground marketplaces or exploited to execute attacks, such as phishing hotel customers.

CTU’s analysis of underground activities of September 2024 incident response engagements uncovered that the credentials harvested from victims of the fake human verification prompt were swiftly disseminated on the Russian Market following their collection.

They suggest implementing policies to prevent employees from accessing streaming services or risky content on corporate systems, and regular social engineering training with updated threat intelligence is recommended to combat these threats.

Web proxies can help restrict access to malicious websites.

To mitigate malware exposure, customers should use available controls to review and restrict access based on indicators where the URLs may contain malicious content, so caution is advised before opening them.

Malicious actors are using fraudulent human verification web pages to distribute malware.

The URLs [https://pcheck9.b-cdn.net/prop9.html](https://pcheck9.b-cdn.net/prop9.html) and [https://secure-bot15.b-cdn.net/tera32.html](https://secure-bot15.b-cdn.net/tera32.html) directly host these fake verification pages.Redirects to such pages are initiated from newvideozones.click/veri.html and potentially yip.su/25yX94, which are part of a campaign that ultimately delivers malware.

The malware might be found within pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/peltgon.zip, though further analysis is needed to confirm.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Researchers Uncovered Dark Web Operation Acquiring KYC Details

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

12 minutes ago

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…

15 minutes ago

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…

17 minutes ago

Brazilian Hacker Arrested Hacking Computers & Selling Data

A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…

19 minutes ago

McDonald’s Delivery App Bug Let Customers Orders For Just $0.01

McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…

20 minutes ago

North Korean Hackers Stolen $2.2 Billion From Crypto Platforms In 2024

Cryptocurrency hacking incidents in 2024 surged 21.07% YoY to $2.2 billion, with 303 breaches reported,…

31 minutes ago