A website was discovered that downloads a spyware trojan and tricks people into saving the malicious file. It does this by showing a Captcha that asks users to press certain keyboard keys.
This example of a dangerous website shows how fake captchas can be used to hurt people – in this case, trick them into saving malicious files.
The trojan downloaded by the malicious site is called Gozi or Ursnif. It can steal passwords, other sensitive information that can be used to, for instance, steal people’s accounts.
Fake Keyboard Captcha Downloads A Trojan quicklinks
- Video website downloads a trojan
- Spyware trojans steal information
- How to avoid the Gozi trojan
- Automatic Malware removal tools
About the fake captcha attack:
|How the attack starts||Malicious website automatically downloads an infected file,
it asks the user to press certain keyboard keys that make sure to save the downloaded file,
the file, if opened, infects the computer with a banking trojan.
|Dangers and harm||The trojan can steal usernames, passwords, and other information,
it can download additional malware.
|How to protect yourself from the trojan||Delete suspicious files that are downloaded by websites without permission,|
Video website downloads a trojan
MalwareHunterTeam saw the malicious website and BleepingComputer described the trojan in more detail. I don’t recommend visiting the site, as it does download a dangerous program – it’s best to avoid getting accidentally infected.
The malicious site shows a Youtube video. When you press the Play button, it downloads a file called “console-play.exe”.
The site then shows a captcha (CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart – is a robot check) that asks you to press a few keyboard keys: B, S, Tab, A, F, and Enter.
BleepingComputer notes that, if your browser shows a security warning on the “console-play.exe” file, pressing Tab and then Enter should get past the warning and save the file in your Downloads folder.
Spyware trojans steal information
Just downloading console-play.exe doesn’t do anything. If you just delete it, you’re good (though an antivirus scan would probably be prudent).
You need to open/run console-play.exe in order for it to download malware and infect your PC. If you double-click it, then Gozi malware is downloaded.
It’s important to note that the malicious file doesn’t have to be named “console-play.exe” – it could be named anything else. It doesn’t even have to be an exe file, it could be an image, an archive, etc.
The Gozi trojan is dangerous:
- It steals account credentials and other private information.
- It can download and install more malware infections, such as adware.
There is more to Gozi, here is a recent post by Check Point. Gozi is very versatile and can be made to do lots of different tasks. This trojan is now being distributed by many different cybercriminal gangs, which makes it difficult to predict.
How to avoid the Gozi trojan
In this case, the Gazi trojan is being spread with the help of a fake captcha. We’re very familiar with fake captchas being used by notification hijackers (Captcha-bros.com), but this fake keyboard captcha can cause much more serious problems.
The problem is, there are many different types of captchas, each website could even invent a custom one. It’s not suspicious to come across one that you’ve never seen before, which makes it difficult to tell fakes.
Be suspicious of any site that unexpectedly downloads files. Such files should be deleted, even if they’re not detected by your antivirus software. Similarly, it’s good to be suspicious of emails that hide their contents in attachments. Often, such attachments are used to spread malware.
If you downloaded and ran console-play.exe, your device might have got infected with an info-stealing trojan and with other malware. Use an antivirus program (such as Spyhunter, Malwarebytes, and others) to scan your computer for infections. Protect your device with a good security tool. Antivirus scanners detect the console-play.exe file as Trojan, Malicious, Backdoor, and by other names that you can see on this Virustotal page.
After removing all the malware infections and making sure that your computer is clean, reset your passwords and make sure to use multi-factor authentication. This will make it much harder for cybercriminals to hack your accounts, even if they did steal your credentials.
Automatic Malware removal tools