Microsoft Security Intelligence team has found an Excel malware campaign that executes uniquely. This campaign even requires the target user to solve a CAPTCHA, which will then execute the malware.
Sharing the details in a series of tweets, MSI Team explained that the CHIMBORAZO is actively executing a phishing campaign. This is the same group that ran the Dudear campaigns which dropped the info-stealing Trojan GraceWire.
The attack begins via phishing emails containing the phishing link as part of the text or within an HTML attachment embedded in the malicious iframe tag. Till this point, it looks like any other phishing attack. However, the next step is what makes it unique.
Clicking the malicious link redirects the victim to a web page impersonating the Cloudflare DDoS protection page. It requires the user to solve Google reCAPTCHA.
Solving the CAPTCHA then downloads a malicious Excel file in which, enabling macros would then download the final payload, the info-stealing GraceWire Trojan. This is what makes this malware campaign similar to Dudear.
Nonetheless, users should still remain very careful while downloading files from emails. Likewise, they should remain vigilant enough while enabling editing for MS Office files, that otherwise remain protected by MS Office by default.
