Lazarus Group Using ClickFix to Deliver Malware

MITRE Techniques

• [T1204] User Execution – Victims were socially engineered via fake job/interview sites to run a “repair” command that downloaded and executed malicious packages (“…the site prompts the victim that the camera configuration does not meet requirements or has a fault, and gives a fix that downloads a fake Nvidia update…”).
• [T1202] Indirect Command Execution – run.vbs checks OS BuildNumber and Node.js presence then launches shell.bat or drvUpdate.exe to execute subsequent components (“…Run.vbs checks BuildNumber … if Win11 then run drvUpdate.exe … if Node.js exists then run shell.bat…”).
• [T1543] Create or Modify System Process – Persistence via registry and LaunchAgents plist to auto-start malware components (“…establish persistence by adding registry command ‘%USERPROFILE%.pyppythonw.exe’ ‘%USERPROFILE%.n2pay’…”; “…set plist path ‘~/Library/LaunchAgents/com.local.drvierUpdate.plist’…”).
• [T1105] Ingress Tool Transfer – BeaverTail and InvisibleFerret were downloaded from C2 servers to victim systems (“…BeaverTail C2 is hxxp://45.159.248.110. BeaverTail also downloads and deploys Python trojan InvisibleFerret…”).
• [T1059] Command and Scripting Interpreter – Use of bat, vbs, shell scripts, Node.js (npm start running main.js) to execute malicious logic (“…ClickFix-1.bat … run.vbs … shell.bat … npm install and npm start … main.js …”).
• [T1574] Hijack Execution Flow – Installing Node.js and executing npm scripts from attacker-supplied package.json to run main.js BeaverTail (“…download and install Node.js … run npm install and npm start which executes main.js …”).
• [T1071] Application Layer Protocol – Malware communicates with C2 servers over HTTP to download additional payloads and receive commands (“…C2 servers hxxp://45.159.248.110, hxxp://45.89.53.54 … drvUpdate.exe connects to 103.231.75.101:8888 …”).