Threat Advisory

New ClearFake Campaign Employs Manual Execution Techniques to Evade Detection

Threat: Malicious Campaign
Criticality: High

EXECUTIVE SUMMARY :

A new campaign from the JavaScript framework "ClearFake" has been observed employing novel execution techniques to deceive users into manually executing malicious PowerShell code. Unlike traditional drive-by downloads, where users are tricked into downloading and running malicious payloads, this campaign relies on social engineering to prompt users to copy and paste malicious code directly into their PowerShell terminal. This method aims to evade detection by security tools, as the malicious commands are executed manually by the user rather than being initiated by a downloaded script file.

The attack begins with users visiting compromised websites that display a fake browser error message, instructing them to install a root certificate to fix the issue. Upon clicking the "Fix it" button, users are presented with instructions to copy obfuscated PowerShell code into their clipboard and execute it in a PowerShell terminal. This PowerShell script performs several actions: it clears the DNS cache, displays a success message box, downloads additional PowerShell code from an attacker-controlled domain, and ultimately installs the LummaC2 malware via a series of steps involving base64-encoded commands and sandbox evasion techniques. Notably, the script uses a user agent check and a CPU temperature check to avoid detection in virtualized environments.

To mitigate this threat, organizations should implement robust application control policies to restrict PowerShell usage to essential personnel only. It is crucial to educate users about the risks of executing code from untrusted sources and to enhance network defenses by blocking access to suspicious domains. Additionally, configuring Windows Defender Application Control (WDAC) to enforce constrained language mode for PowerShell and ensuring endpoint security tools are integrated with the Windows Antimalware Scan Interface (AMSI) can provide significant protection. By adopting these best practices, organizations can effectively reduce the risk posed by this emerging threat and safeguard their environments against similar attacks.

 

THREAT PROFILE :

Tactic Technique Id Technique
Execution T1059 Command and Scripting Interpreter
Persistence T1547 Boot or Logon Autostart Execution
Defense Evasion T1140 Deobfuscate/Decode Files or Information
T1218 System Binary Proxy Execution
T1070 Indicator Removal
Collection T1113 Screen Capture
Command and Control T1071 Application Layer Protocol
Exfiltration T1041 Exfiltration Over C2 Channel

 

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/hackers-javascript-framework-trick-users/

crossmenu