ClearFake re-emerged as a social-engineering campaign that leverages compromised websites to display a fake error modal and persuade victims to copy/paste PowerShell commands. The operation chains user-initiated PowerShell activity to download and execute Lumma Stealer and related payloads, with multiple stages and C2 activity observed. #ClearFake #LummaStealer #HijackLoader #Amadey #ThreatDown #PowerShell #DriveByCompromise
Keypoints
- ClearFake uses compromised websites to present a convincing modal overlay that urges users to take action, facilitating infection.
- The attack relies on social engineering, guiding victims to manually copy/paste malicious PowerShell code rather than downloading a file.
- The PowerShell command downloads a data archive and spawns a chain: WinNc.exe β cmd.exe β AutoIt script (FOP_Authv3.au3).
- Unrar64.dll is loaded from the archive and has an invalid signature after modification, enabling the staged payload.
- FOP_Authv3.au3 maps to Lumma Stealer, which then drops additional payloads (e.g., HijackLoader and Amadey stealer).
- Post-infection network traffic and C2 infrastructure are documented as IOCs, highlighting Lumma Stealer C2 servers and related domains.
- MITRE-aligned mitigations emphasize domain monitoring, proactive Lumma Stealer C2 detection, and leveraging EDR to view the full attack chain.
MITRE Techniques
- [T1189] Drive-by Compromise β The attacker targets users via compromised websites presenting a fake error overlay to prompt action. βAw, Snap! Something went wrong while displaying this webpageβ and βTo display this web page correctly, please install the root certificateβ β¦ overlayed on top of the hacked site by using an iframe
- [T1204] User Execution β User manually copies and pastes PowerShell command
- [T1059.001] PowerShell β Execution of a PowerShell command initiated by user paste, including an encoded command sequence
- [T1105] Ingress Tool Transfer β PowerShell contacts remote server to download payload (Lumma Stealer)
- [T1059.005] Visual Basic / Scripting (AutoIt) β AutoIt script executed as part of the payload chain after initial download
- [T1116] Code Signing β Unrar64.dll is signed but code has been modified, resulting in an invalid signature
- [T1105] Exfiltration/Command and Control via C2 Domain β Lumma Stealer C2s invoked for additional payloads and data exfiltration (e.g., grazeinnocenttyyek.shop/api)
Indicators of Compromise
- [URL] pley[.]es/iframe.html β iframe-based fake error to lure victims
- [Domain] bsc-dataseed1[.]binance[.]org β Binance-related domain used in the workflow
- [URL] s9l0w7n3y5[.]xyz β ClearFake iframe/lander
- [URL] drinkresources[.]rest/df/data.zip β data archive download
- [File name] WinNc.exe β 34a31ce56c97fdc7a5db20c1dec741830c75d97b87c11c1658754419213ff6d7
- [File name] FOP_AUTHV3.AU3 β 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- [Domain] grazeinnocenttyyek[.]shop/api, horsedwollfedrwos[.]shop/api, and 6 more β Lumma Stealer C2 destinations
- [File name] 5E9T3S8I1K3L6QFP1P2V.EXE β (file name listed; hash 2126be78d0e7862d7409511690a89fb9e11bb2095d5bdb51f63c1dfa74f57d59)
- [File hash] 2126be78d0e7862d7409511690a89fb9e11bb2095d5bdb51f63c1dfa74f57d59 β associated with 5E9T3S8I1K3L6QFP1P2V.EXE
- [File name] 4QXKTNG0KFO93FS7JPOG.EXE β 609e230fb76177e004f55572f4c812623fee224480baf2cf7f7d7ff5ccd5ce24
- [File hash] 609e230fb76177e004f55572f4c812623fee224480baf2cf7f7d7ff5ccd5ce24 β associated with 4QXKTNG0KFO93FS7JPOG.EXE
- [Domain] artservice[.]online β C2 traffic
Read more: https://www.threatdown.com/blog/clearfake-walkthrough-06-03-2024/