A long-standing but stealthy group allegedly helping cyber-attackers penetrate IT systems by offering CAPTCHA-solving services has recently been discovered.
In a new report, Arkose Cyber Threat Intelligence Research (ACTIR) shared that it had identified a cyber-attack enabling business it named Greasy Opal after observing the group’s tools being used to attack Arkose Labs’ customers.
Greasy Opal, based in the Czech Republic, has allegedly operated since 2009 but has remained under the radar until now. The group sells various products and solutions to multiple customers, including cyber threat actors.
These products include a range of legitimate productivity solutions and more controversial tools, such as:
- SEO-boosting software
- CAPTCHA-solving services
- Browser automation services
- Social media automation services
Uncovering Greasy Opal’s Anti-CAPTCHA Tool
ACTIR described Greasy Opal’s CAPTCHA-bypassing tool as an easy, fast, and flexible tool for the automatic recognition of a wide array of CAPTCHAs.
Greasy Opal’s tool boasts a 10-time faster efficiency than typical CAPTCHA-solving solutions, such as AntiGate (Anti-Captcha), RuCaptcha or DeCaptcher.
CAPTCHAs are computer programs intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.
Greasy Opal’s Yearly Revenues at $1.7m
Greasy Opal’s portfolio is multi-faceted, allowing it to develop a sophisticated business model by bundling several services together, including allegedly legitimate solutions and services that are evidently illegal.
“This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream,” wrote ACTIR researchers.
The group offers what ACTIR calls “an attacker’s toolkit” for $70, with an additional $10 monthly subscriber fee. For an extra $100, customers can upgrade to get the beta version.
It also offers a package that bundles all its tools, costing $190 plus the $10 subscription.
ACTIR researchers estimate that Greasy Opal’s revenues for 2023 were at least $1.7 million.
Greasy Opal’s Infrastructure
Greasy Opal’s products and services are built using sophisticated image and character recognition and AI technologies.
Key features include:
- Advanced optical character recognition (OCR) technology used to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion
- Machine learning models trained on extensive datasets of images, allowing for continuous learning and adaptation, enhancing Greasy Opal’s capability to solve new CAPTCHA variations
- Crowd-sourced labeling used to train its machine learning models
The group is known for its regular updates, which enhance its machine learning models and allow for the quick adaptation to new types of CAPTCHAs, ACTIR researchers noted.
Greasy Opal’s Customers
Arkose Labs estimated that hundreds of individual attackers are using Greasy Opal software to build bots and stage volumetric attacks.
For example, ACTIR researchers observed that Vietnam-based Storm-1152 used Greasy Opal in conjunction with attacks that created 750 million fake Microsoft accounts.
The Microsoft Digital Crimes Unit, using threat intelligence from the ACTIR unit, seized control of the Storm-1152 domains first in December 2023. ACTIR discovered that Storm-1152 reconstituted in January 2024 and the unit worked with Microsoft to disrupt the threat actors again in early August 2024.
Another prominent user is browser automation software provider Bablesoft. Its Browser Automation Suite (BAS), which offers a tool that provides fingerprint databases and a drag-and-drop interface to create and launch attacks, allegedly uses Greasy Opal’s toolkit.
“When Greasy Opal and BAS are used together, malicious actors' skill level can be pretty low to deploy a successful attack,” one ACTIR researcher noted in the report.
Conclusion
ACTIR acknowledged that Greasy Opal’s technology is inexpensive and very efficient.
However, the researchers also noted that the toolkit has a weakness: the bot technology doesn’t scale well because it is CPU-based, not GPU-based.
“Consequently, the system's vulnerability is exacerbated by its reliance on outdated hardware architecture, making it more susceptible to being stopped by advanced countermeasures designed to exploit this weakness,” the researchers explained.
Arkose recommended that companies check if they see their name on the list provided in the report’s appendix, in which case it is likely that Greasy Opal’s tools are enabling attacks on your company.