Skip to content

I2Parcae targets victims via fake support emails and CAPTCHA tricks

  • by
  • 4 min read

A new wave of cyberattacks targets businesses and individuals through customer support contact forms using a sophisticated Remote Access Trojan (RAT) called I2Parcae. Delivered via spam emails that appear from legitimate sources, the malware tricks victims into executing malicious scripts by disguising itself as a harmless CAPTCHA challenge.

Researchers discovered that the RAT is distributed via spam emails targeting customer support contact forms on various websites. Once clicked, these emails lead users to a malicious webpage disguised as adult content, delivering the I2Parcae payload.

Once executed, the malware deploys various functionalities to avoid detection and exfiltrate sensitive information. Key actions include disabling Windows Defender, collecting browser cookies, and providing remote access to the compromised system.

Apart from disabling Windows Defender, the RAT accesses web browser data and collects system information. Moreover, the malware hides its presence by creating a folder in the ‘Public’ directory that mimics a system directory — specifically, a link to the ‘My PC’ page in Windows File Explorer. By placing malicious files in this folder, the malware remains undetected by casual users who may not think to investigate this area.

Additionally, the malware can extract information from Windows’s Security Accounts Manager (SAM) and connect to remote servers via the Invisible Project (I2P), an anonymous, encrypted peer-to-peer network.

“This RAT is notable for having several unique tactics, techniques, and procedures (TTPs), such as Secure Email Gateway (SEG) evasion by proxying emails through legitimate infrastructure, fake CAPTCHAs, abusing hardcoded Windows functionality to hide dropped files, and C2 capabilities over Invisible Internet Project (I2P), a peer-to-peer anonymous network with end-to-end encryption,” researchers said.

The I2Parcae malware campaign uses a unique strategy to bypass traditional email security defences. It exploits customer support forms on websites to deliver malicious content. The attacker submits a seemingly innocent message through the form, which is then sent to the target’s email server along with the embedded malicious link.

Fake CAPTCHA that copies malicious script into the victim’s clipboard. | Source: Cofense

Since the email originates from legitimate servers, it can bypass many SEGs, which often rely on the email sender’s reputation to filter spam and phishing attempts.

Once victims receive these emails, they are prompted to click on a link, leading to a page that claims to host adult content. However, this page redirects users to a fake CAPTCHA screen that tricks them into executing a script that downloads and installs I2Parcae.

Victims, misled into thinking they are completing a CAPTCHA challenge, unknowingly run the malicious code, allowing the RAT to establish a foothold on their system.

What sets I2Parcae apart from other RATs is its use of I2P, a decentralised, encrypted network that allows for anonymous communications. Unlike Tor, which relies on dedicated routing nodes, I2P operates on a peer-to-peer model, where each user acts as a client and a node in the network. This makes it significantly harder for security researchers to analyse and intercept I2P traffic.

In the case of I2Parsae, researchers discovered that the RAT uses I2P to communicate with its command-and-control (C2) server. This means that the malware’s control infrastructure is harder to track and more resilient to takedown efforts.

In addition to I2P, the malware has a fallback communication option using a standard IPv4 address and port, providing a multi-layered approach to maintaining control over infected machines.

The core functionality of I2Parcae includes several modules, each designed to extend the malware’s capabilities. These modules can enumerate user accounts and groups, identify installed programs, and interact with other machines on the network using Windows Remote Desktop Services (RDP). The most critical module, ‘cnccli.dll,’ handles communication with the malware’s C2 servers and logs extensive information about the compromised system.

In the News: Neuralink launches Canadian trials at Toronto Western Hospital

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>