skip to Main Content

Cybercrime exploits Fake Google reCAPTCHA to spread Banking Malware

Cybercrime Exploits Fake Google ReCAPTCHA To Spread Banking Malware

Sucuri discovers that cybercrime is exploiting fake Google reCAPTCHA to spread banking malware. The cyber criminal use impersonation and panic/bait with emails to entice victims to download the malicious code

Cybercrime is exploiting fake Google reCAPTCHA to spread Banking Malware. It has been discovered by Sucuri cyber security experts. During a recent investigation, they found a malicious file related to a phishing campaign that targeted a Polish bank. The cyber criminals to lure the victims used two well known social engineering techniques: impersonation and panic/bait with emails to entice victims to download the malicious code. The messages contain a fake confirmation for a recent transaction, along with a link to a PHP payload. This serves a fake 404 error page to its visitors with specifically defined user-agents. If a request passes through the user-agent filter, then the PHP code loads a fake Google reCAPTCHA using some static HTML elements and JavaScript. But the images will always be the same unless the malicious PHP file’s coding is changed. It also doesn’t support audio replay, unlike the real version.

The cyber security experts: The malicious PHP file in the mail determines which form of malware – either a .zip dropper or an .apk – to download to the visitor’s device

According to Sucuri, the PHP code then determines which form of malware – either a .zip dropper or a malicious .apk – to download to the visitor’s device. To make this determination, the malicious PHP checks the victim’s browser user agent again. If it detects that the visitor is using Android, it prompts a download of a malicious .apk file to the device. Once it is installed, it can be used for malicious purposes, as intercepting incoming SMS (including the ones related to Two-factor authentication, 2FA), recording audio and steal credentials. If the code does not detect an Android device, then another request is sent to the file with the parameter “?down” with the MD5 sum of the time, which prompts a malicious .zip download with similar characteristics.

Back To Top