Hackers Use Fake Captcha to Bypass Browser Warnings and Spread Gozi Trojan

By Ava McKinneyOnline Safety

Hackers Use Fake Captcha to Bypass Browser Warnings

Cybersecurity researchers have discovered that hackers are using a fake captcha to trick users into bypassing browser warnings and downloading the Gozi banking trojan (also known as Ursnif).

The issue was identified by MalwareHunterTeam, who shared their findings with journalists at Bleeping Computer. The incident began when the researcher found a suspicious URL. When attempting to view an embedded YouTube video about a women’s prison in New Jersey, the site prompted the download of a file named console-play.exe and displayed a fake reCaptcha on the screen.

How the Attack Works

Since the file is an executable, Google Chrome automatically warns that the file may be harmful and asks the user whether they want to “Save” or “Cancel” the download. To bypass this warning, the attackers show the victim a fake reCAPTCHA, instructing them to press the keys “B”, “S”, “Tab”, “A”, “F”, and “Enter” on their keyboard, as shown in the screenshot below.

While pressing “B”, “S”, “A”, and “F” does nothing, pressing “Tab” moves the focus to the “Save” button, and then pressing “Enter” acts as a click on that button, causing the browser to download and save the file to the computer. Additionally, the video will start playing automatically, making the user believe they have successfully completed the captcha.

What Happens After Downloading

If the victim runs the downloaded executable, it creates a folder in %AppData%\Bouncy for .NET Helper and installs several files there. All of these files are fake except for the executable BouncyDotNet.exe.

BouncyDotNet.exe reads various strings from the Windows registry used to launch PowerShell commands. These commands ultimately compile a .NET application using the built-in CSC.exe compiler, which then launches the Ursnif banking trojan DLL. Once active, the trojan steals the victim’s credentials, downloads additional malware onto the computer, and executes any commands sent by remote attackers.

Stay Safe Online

  • Be cautious when downloading files from unknown or suspicious websites.
  • Always pay attention to browser warnings about potentially harmful files.
  • Do not follow unusual instructions, such as pressing specific keys to bypass security prompts.
  • Keep your antivirus software and operating system up to date.

Leave a Reply