Malware Campaign Uses Fake CAPTCHA Prompt

- The threat actor TA577, a known initial access broker, was one of the first groups observed distributing the Latrodectus malware in late 2023. This group has a history of distributing other malware like Qakbot and has also been involved in campaigns to steal NTLM authentication hashes. - Latrodectus is considered the successor to the IcedID banking trojan (first seen in 2017), and researchers believe it was created by the same developers. Like its predecessor, Latrodectus functions as a downloader, capable of gathering system information, executing arbitrary commands, and loading additional malware payloads. - The "ClickFix" social engineering technique does not involve solving a real CAPTCHA. Instead, after a user clicks, the page instructs them to open the Windows Run dialog box (Win+R), paste a command, and press Enter, which executes a malicious script. - The initial payload, Latrodectus, employs various evasion techniques, such as checking for debuggers and sandbox environments, before establishing persistence via scheduled tasks or AutoRun keys. - The secondary payload, Supper, is a 64-bit Windows backdoor that functions as a Remote Access Trojan (RAT) and a SOCKS5 proxy. It gives the attacker persistent access and the ability to route traffic through the compromised network. - Supper establishes its own persistence by creating a scheduled task, often disguised as a "GoogleUpdateTask," and can execute remote commands, download further malware, or delete itself. - The combination of Latrodectus for initial access and reconnaissance, followed by the deployment of the Supper backdoor, indicates a preparation for lateral movement, data theft, or a future ransomware attack.