<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mshta.exe - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mshta.exe/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 01 Jan 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mshta.exe/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Fake CAPTCHA Phishing Attack via Malicious Copy/Paste</title><link>https://feed.craftedsignal.io/briefs/2024-01-fake-captcha-phishing/</link><pubDate>Mon, 01 Jan 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-fake-captcha-phishing/</guid><description>Attackers compromise websites, inject malicious code posing as fake CAPTCHAs, and trick users into copying and pasting malicious commands into the Windows Run dialog box, leading to the execution of PowerShell, Cmd, or MSHTA.</description><content:encoded><![CDATA[<p>This threat involves attackers compromising websites and injecting malicious code to deliver fake CAPTCHA or page error messages to unsuspecting users. The goal is to trick victims into copying malicious commands from the compromised website and pasting them into the Windows Run dialog box. This technique leverages social engineering and user interaction to bypass traditional security measures. The malicious commands often involve PowerShell, cmd.exe, or mshta.exe, enabling the execution of arbitrary code on the victim's machine. The use of common system binaries makes detection challenging, as these are typically trusted processes. This activity has been observed since 2025/08/19.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Website Compromise:</strong> Attackers compromise a legitimate website using various techniques, such as exploiting vulnerabilities or using stolen credentials.</li>
<li><strong>Malicious Code Injection:</strong> The compromised website is injected with malicious JavaScript code that displays a fake CAPTCHA or error message to visitors.</li>
<li><strong>Social Engineering:</strong> The fake CAPTCHA or error message instructs the user to copy a provided command to resolve the issue. The message often creates a sense of urgency or importance to compel the user to act.</li>
<li><strong>Command Execution:</strong> The user copies the malicious command, which typically includes PowerShell, cmd.exe, or mshta.exe with obfuscated or encoded arguments.</li>
<li><strong>Payload Download:</strong> The executed command downloads and executes a secondary payload from a remote server.</li>
<li><strong>Persistence:</strong> The payload establishes persistence mechanisms, such as creating scheduled tasks or modifying registry keys, to ensure continued access to the compromised system.</li>
<li><strong>Lateral Movement:</strong> Depending on the attacker's objectives, they may attempt to move laterally within the network to compromise additional systems.</li>
<li><strong>Objective Completion:</strong> The ultimate objective may involve data theft, ransomware deployment, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack can result in the compromise of user systems, leading to potential data theft, malware installation, and further network intrusion. The widespread use of this technique highlights the need for increased user awareness and robust security measures to detect and prevent malicious copy-paste activity. While specific numbers are not available, similar phishing campaigns have affected numerous users across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Fake CAPTCHA PowerShell Command</code> to your SIEM to detect the execution of PowerShell commands containing CAPTCHA-related keywords.</li>
<li>Deploy the Sigma rule <code>Detect Fake CAPTCHA CMD Command</code> to your SIEM to detect the execution of CMD commands containing CAPTCHA-related keywords.</li>
<li>Implement user awareness training to educate users about the risks of copying and pasting commands from untrusted sources (reference: Attack Chain step 3).</li>
<li>Monitor process execution logs for suspicious command-line arguments involving PowerShell, cmd.exe, and mshta.exe (reference: Attack Chain step 4).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>phishing</category><category>social-engineering</category><category>malware</category><category>windows</category></item></channel></rss>