Malware Infection –
Fake Google reCAPTCHA
The malware infection starts with the fake confirmation receipt of the recent transaction that includes a link to the malicious PHP file.
Attackers designed the email in the way to create a panic situation to customers asking confirmation for an unknown transaction.
Generally, the phishing email contains a log in which grabs the user’s
“We see that they are limited to crawlers associated with Google, indicating that the attackers must not be too worried about other search engines.” reads Sucuri blog post.
Once the user-agent got filtered then the PHP code loads a fake Google reCAPTCHA that relies on static elements. The PHP determines which malware to be dropped on the
The malicious page rechecks the victim’s user-agent.zip dropper or a malicious .apk based on the visitor’s device.
If it detects an android device then it delivers the .apk file, else it passes another request to download the .zip file to victim’s device.
Once the malware got installed in the device it starts intercepting 2FA through SMS to grab the login credentials.