Injected KongTuke Script Leads to Fake CAPTCHA Pages and Clipboard Hijacking

By /

Listen to this Post

A recent campaign discovered by Palo Alto Networks Unit 42 involves the KongTuke script being injected into legitimate but compromised websites. This attack leads users to fake CAPTCHA-style pages that perform clipboard hijacking (pastejacking), tricking victims into pasting malicious scripts into a Run window.

Key Details of the Attack

  • Fake CAPTCHA Pages: Users are prompted to verify they are human, but instead, they are directed to execute malicious PowerShell scripts.
  • Clipboard Hijacking: The script modifies clipboard content, replacing legitimate commands with harmful ones.
  • Command and Control (C2): The attackers use HTTPS with self-signed certificates and outdated TLS 1.0, making detection harder.

Latest Info: Palo Alto Networks Report

You Should Know: How to Detect and Prevent This Attack

1. Detect Malicious Traffic in Wireshark

  • Look for TLS 1.0 traffic, which is outdated and suspicious. 
    tls.handshake.version == 0x0301
  • Filter for self-signed certificates: 
    ssl.handshake.certificate.self_signed == 1

2. Block Clipboard Hijacking

  • Disable automatic script execution in PowerShell: 
    Set-ExecutionPolicy Restricted -Force
  • Check clipboard content before pasting (Linux): 
    xclip -o

3. Identify Compromised Websites

  • Use curl to check for injected scripts: 
    curl -s http://example.com | grep "KongTuke"
  • Monitor web requests with tcpdump: 
    sudo tcpdump -i eth0 -w traffic.pcap

4. Strengthen HTTPS Security

  • Disable TLS 1.0 on your server (Nginx): 
    ssl_protocols TLSv1.2 TLSv1.3;
  • Check SSL certificates with OpenSSL: 
    openssl s_client -connect example.com:443 -tls1

5. Prevent Fake CAPTCHA Attacks

  • Use browser extensions like NoScript to block unauthorized scripts.
  • Verify CAPTCHA authenticity by checking the domain.

What Undercode Say

This attack highlights the dangers of pastejacking and outdated encryption protocols. Always:
– Inspect scripts before execution.
– Update TLS configurations to block weak protocols.
– Monitor network traffic for anomalies.

Expected Output: A secure system with blocked malicious scripts, enforced TLS 1.2+, and awareness of clipboard-based attacks.

Relevant URL: Palo Alto Networks Report

References:

Reported By: Unit42 Kongtuke – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: