"A new ClickFix campaign carried out via a compromised website has been observed using scheduled tasks for persistence and PySoxy, an open-source Python SOCKS5 proxy, to establish encrypted proxy access. "In the observed chain, one user-executed command led to persistence, domain reconnaissance, an initial PowerShell-based command-and-control (C2) channel, and a second C2 path through PySoxy, giving the attacker encrypted proxy access without relying on well-known malware or remote monitoring and management (RMM) tools," ReliaQuest said."
""This development shows ClickFix moving beyond one-time user execution into modular post-exploitation, where older open-source tools can create redundant access paths that are harder to classify and contain.""
"Threat actors are sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that enables remote access, malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. "By abusing Teams external access, the threat actor delivered a Dropbox-hosted Python payload [called ModeloRAT] that established command-and-control, deployed multiple backdoors, and began mapping the internal environment," Rapid7 said."
""The attacker then escalated privileges to SYSTEM using CVE-2023-36036 before deploying a fake Windows lock screen designed to harvest the user's domain password.""
A ClickFix campaign used a compromised website to gain persistence through scheduled tasks and to establish encrypted proxy access using PySoxy. The observed chain moved from user-executed commands to persistence, domain reconnaissance, an initial PowerShell-based command-and-control channel, and a second command-and-control path via PySoxy. This approach created redundant access paths that avoid reliance on well-known malware or remote monitoring and management tools. Separately, threat actors sent Microsoft Teams messages from fake IT Support accounts to trigger remote access and malware deployment. The chain included a Dropbox-hosted Python payload, command-and-control, multiple backdoors, internal environment mapping, privilege escalation to SYSTEM via CVE-2023-36036, and a fake Windows lock screen to harvest domain passwords.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]