Banking Trojan horse distributed by using false Google reCAPTCHA

Crooks pretend to be from Google and try to steal users credential data

Attackers have found a way how to trick users and convince them to download malware by using fake Google reCAPTCHA

Not so long ago, cybersecurity researchers discovered a malware string which is spread by crooks who pretend to be from the well-known company Google.^[1] These criminals use fake Google reCAPTCHA to target users who use online banking services and steal important credential information from their accounts.

According to a researcher from the Sucuri organization, a malicious attempt was made against Poland:^[2]

During a recent investigation, we discovered a malicious file related to a phishing campaign that targeted a Polish bank. This campaign employed both the impersonation and panic/bait techniques within an email in order to lure victims into downloading banking malware.

A 404 error page is provided once the user clicks on the malicious hyperlink

Talking about the malicious spam emails, crooks try to make them look illegitimate so that users have no doubts and open them immediately. These messages are sent in a form of accepting a certain type of transaction. As additional content, a hyperlink is inserted inside the letter which the victim is supposed to access. However, once clicked, such link redirects the user to malware-laden payload which is inserted in a .PHP document.

The most interesting part of this malicious attempt is that it operates a little bit differently than other phishing campaigns are used to. Once the malicious link is clicked, the victim receives a 404 error page^[3] instead of being redirected to a misleading and fake banking site where he/she is supposed to enter private details.

Continuously, the Sucuri cybersecurity company claims that if other alternative search engines are being used, the malicious .PHP code displays a fake Google reCAPTCHA:

If a request passes through the user-agent filter (i.e the user agent is not Google crawler related) then the PHP code loads a fake Google reCAPTCHA using some static HTML elements and JavaScript.

By filling false Google reCAPTCHA, victims download malware to their Android devices

The fake Google reCAPTCHA technique is used by criminals in order to successfully distribute malware. However, users need to know that the images which are loaded always appear to be the same due to technical purposes. What else makes the made-up reCAPTCHA different from the original version is that it cannot load audio files.

If the victim manages to click on the CAPTCHA,^[4] fill in all required boxes and download the given payload, he/she installs the malware straight to the device by not even noticing that. Once the CAPTCHA is filled, users receive a malicious .zip file and .APK for their Android mobile phones or other devices.

VirusTotal has already uploaded the examples of the spotted virus.^[5] This type of cyber threat can be detected as Banker Trojan, BankBot, Artemis, Evo-gen, and in various other names by different antivirus tools. Also, it is known that this trojan mostly targets Android users and is capable of gathering various data about the device and performing actions such as:

• finding the location;
• checking the state of the device;
• sending text messages;
• making calls,
• etc.