ClickFix Campaign Generated Via AI Delivers SmartRAT

MITRE Techniques

• [T1566 ] Phishing – Used a fake bank website and ClickFix lure to trick victims into executing malicious commands [‘a fake CAPTCHA followed by a fullscreen fake BSOD/system recovery prompt’]
• [T1059 ] Command and Scripting Interpreter – Used PowerShell to download and execute the next stage [‘run a PowerShell command that downloads and executes a RAT’]
• [T1059.001 ] PowerShell – SmartRAT and its loaders were implemented in PowerShell [‘SmartRAT is a PowerShell-based banking RAT’]
• [T1569.002 ] Service Execution – Used service-related behavior to run payloads and support SYSTEM execution [‘compiles inline C# service code using csc.exe and installs a Windows service’]
• [T1543.003 ] Create or Modify System Process: Windows Service – Created a Windows service for persistence and SYSTEM execution [‘installs a Windows service named MicrosoftEdgeUpdateCore under %ProgramData%… configured to run with System privileges’]
• [T1036 ] Masquerading – Used bank and update-themed names to appear legitimate [‘MicrosoftEdgeUpdateCore’, ‘msedgeupdate.txt’, and bank impersonation lures’]
• [T1070.004 ] Indicator Removal: File Deletion – Deleted files, logs, and cleanup artifacts during uninstall/self-removal [‘delete the service, scheduled tasks, registry keys, and all files’]
• [T1082 ] System Information Discovery – Collected OS, username, host, privilege, session ID, and other victim details [‘Sends victim profile JSON (OS, username, host, privilege, session ID, install token, HMAC)’]
• [T1071 ] Application Layer Protocol – Used HTTP and TCP-based C2 communications to blend with normal traffic [‘retrieving st.txt from 64.95.13.238’ and ‘communicates over a raw TCP socket on port 51888’]