Stay Alert – Fake CAPTCHA Pop-ups Are Covertly Installing LightPerlGirl Malware

In an era where cyber threats evolve with alarming frequency, a new malware strain dubbed LightPerlGirl is making waves as it exploits users’ trust in web CAPTCHA systems.

Security researchers at Todyl have uncovered a sophisticated attack chain that leverages fake CAPTCHA pop-ups to trick users into executing malicious PowerShell commands, ultimately giving attackers a persistent foothold on infected systems.

The Attack Vector: Social Engineering Meets Advanced Evasion

LightPerlGirl’s campaign begins with a simple, yet effective ruse. Users visiting previously compromised WordPress sites, which often appearing as legitimate travel or business pages, are presented with a CAPTCHA prompt that mimics security checks from trusted providers like Cloudflare.

Instead of verifying user authenticity, these prompts instruct victims to paste and run a specific command in their system’s Run dialog.

Believing they are aiding in an anti-bot or anti-DDoS measure, users unwittingly execute the first stage of LightPerlGirl’s payload an obfuscated PowerShell script.

Initial analysis reveals that the PowerShell command contacts a command and control (C2) server at cmbkz8kz1000108k2carjewzf.info, using string-splitting techniques to evade detection.

Once connected, it downloads and executes the next phase of the attack in memory, avoiding detection by traditional file scanners.

Inside the Malware’s Multilayered Execution

The downloaded script is split into three main functions:

1. HelpIO – Gaining Privilege and Disabling Defenses:
   This function persistently attempts to elevate privileges using User Account Control (UAC) prompts, exploiting users’ tendency to approve administrative requests. Once successful, it adds an exclusion path for Windows Defender, specifically disabling scans of the C:\Windows\Temp directory, effectively creating a safe haven for malicious files.
2. Urex – Establishing Persistence:
   This module downloads a secondary payload (evr.bat) from the same C2 server, saving it to the Temp directory (now shielded from Defender). It then crafts a shortcut in the user’s Startup folder, ensuring automatic execution of the payload at every login.
3. ExWpL – Fileless Payload Execution:
   The malware loads a base64-encoded .NET assembly directly into memory using PowerShell’s Reflection capabilities, bypassing file write detection. The assembly’s entry point is invoked to execute the attacker’s code without leaving a trace on disk.

Continuous Threat and Critical Recommendations

Once established, LightPerlGirl maintains a connection to its C2 server, awaiting further instructions. The batch file (evr.bat) serves as a conduit for additional malicious activities, executed in a hidden PowerShell process.

The malware’s operators can thus maintain persistent access, download further payloads, or launch other attacks from the compromised system.

How to Protect Yourself

Todyl strongly advises users to never trust CAPTCHA prompts that require running scripts or commands. Key protective measures include:

• Deploying Endpoint Security Solutions:
  These can prevent unauthorized script execution and alert administrators to suspicious activity.
• Monitoring Network Activity:
  Watch for connections to known malicious IPs (such as 91.92.46.60 or 94.74.164.x ranges) and domains related to C2 servers.
• Using Hunt Queries and IOCs:
  Detect and block files like "C:\Windows\Temp\LixPay.bat" or shortcuts in "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\LixPay.url".

Stay vigilant. LightPerlGirl demonstrates the growing sophistication of social engineering and fileless malware.

By remaining skeptical of web pop-ups and ensuring robust security practices, users and organizations can significantly reduce their risk of falling victim to such attacks.

Security teams should continue to monitor for updates and indicators as Todyl and other researchers work to uncover the full scope of this campaign.