EXECUTIVE SUMMARY
The malware campaign targets YouTube creators through a phishing attack, exploiting their interest in brand collaborations. Threat actors craft deceptive emails mimicking professional partnership offers from well-known brands, embedding malicious links within supposed promotional materials or business contracts. A critical technique in this campaign is Clickflix, which manipulates victims into executing a base64-encoded PowerShell script by presenting a fake Microsoft Office error page. Once users interact with the fraudulent webpage, the script downloads and installs malware onto their systems. This attack method is designed to bypass security measures by leveraging user action, making it particularly effective against content creators who frequently engage in sponsorship deals. By employing this advanced phishing strategy, attackers enhance their chances of successful malware deployment, leading to system compromise and data theft.
The malware employs multiple persistence and evasion techniques to maintain control over infected systems. A key function of the PowerShell script is to establish scheduled tasks that run continuously, ensuring long-term access even after system reboots. Additionally, it clears DNS caches to remove traces of malicious activity and dynamically loads harmful scripts in memory to avoid detection. The malware primarily focuses on extracting browser-stored credentials, cookies, and autofill data, allowing attackers to hijack online accounts. Further analysis of the malicious code reveals its capability to communicate with C2 servers via domains hosted on content delivery networks. The malware sends stolen credentials and browsing history to these remote servers, where attackers can exploit the data for financial gain, identity theft, or further cyber intrusions.
By leveraging Clickflix as a delivery mechanism, the campaign demonstrates a growing trend in social engineering attacks that manipulate users into executing malicious code. The attackers exploit the trust and habits of content creators, making traditional security awareness insufficient in preventing these threats. With the ability to steal browser credentials and exfiltrate data to C2 servers, this campaign poses a serious risk to online creators who rely on digital platforms for their livelihood. The use of obfuscated scripts and stealth techniques further complicates detection, underscoring the need for enhanced cybersecurity measures against evolving social engineering tactics. As the attack continues to target unsuspecting victims, it highlights the importance of vigilance in handling unsolicited collaboration offers and verifying the authenticity of digital communications before engaging with embedded links or files.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1047 | Windows Management Instrumentation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1140 | Deobfuscate/Decode Files or Information | |
| Discovery | T1082 | System Information Discovery |
| T1083 | File and Directory Discovery | |
| T1057 | Process Discovery | |
| T1518 | Software Discovery | |
| Collection | T1213 | Data from Information Repositories |
| Command and Control | T1071 | Application Layer Protocol |
REFERENCES:
The following reports contain further technical details: