LevelBlue SpiderLabs analyzed ErrTraffic V3, a ClickFix-focused Traffic Distribution System that compromises WordPress sites by installing a PHP mu-plugin backdoor to capture administrator credentials, inject obfuscated inline JavaScript, and persist across requests. The campaign resolves C2 infrastructure via Polygon smart contracts (EtherHiding) to deliver OS-specific ClickFix lures and payloads while exposing attacker infrastructure through hardcoded cryptographic keys. #ErrTraffic #ClickFix
Keypoints
- ErrTraffic V3 targets WordPress by writing a Base64-decoded PHP backdoor to the mu-plugin directory to guarantee execution on every request.
- The backdoor captures administrator credentials, injects two footer JavaScript blocks (beaconing and ErrTraffic loader), and uses XOR+Base64 obfuscation to evade detection.
- ErrTraffic implements EtherHiding: the loader queries Polygon RPC endpoints and smart contracts to retrieve attacker-controlled C2 URLs and payload metadata.
- ClickFix lures are OS-specific and multilingual, delivered via social-engineering pages (fake BSOD, reCAPTCHA, Cloudflare challenges) and result in obfuscated PowerShell or macOS payloads.
- The malware communicates with backend APIs (evt, init, cfg, dl actions), supports AES‑GCM and legacy RC4 modes, and downloads payloads over TLS 1.2.
- Operational security failures (hardcoded API_Q2_KEY_HEX and reused backdoor auth keys) enable defenders to decrypt traffic and pivot to additional compromised sites and infrastructure.
MITRE Techniques
- [T1505.003 ] Web Shell – A PHP backdoor is deployed into WordPress mu-plugins to ensure automatic execution: ‘writes it to the mu-plugin directory to ensure automatic execution on every request.’
- [T1056 ] Input Capture – The backdoor captures administrator credentials and exfiltrates user/visitor attributes: ‘captures administrator credentials’ and the beaconing collects request and browsing attributes.
- [T1027 ] Obfuscated Files or Information – ErrTraffic uses Base64 decoding followed by a static XOR key to hide JavaScript and payloads: ‘leverage both XOR and Base64 obfuscation to evade detection.’
- [T1059 ] Command and Scripting Interpreter – Malicious inline JavaScript is injected into site footers and obfuscated PowerShell is delivered by ClickFix: ‘injects malicious inline scripts’ and ‘obfuscated PowerShell payload’.
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and smart-contract interactions use HTTP(S)/RPC endpoints (Polygon RPC, API endpoints) and enforce TLS 1.2: ‘queries a remote blockchain RPC endpoint’ and ‘forces the use of TLS 1.2’.
- [T1105 ] Ingress Tool Transfer – The loader and backdoor retrieve OS-specific payloads and configuration from attacker-controlled endpoints: ‘attempts multiple times to retrieve the payload from the attacker-controlled endpoint.’
- [T1204 ] User Execution (Social Engineering) – ClickFix delivery uses social-engineering lures (fake BSOD, reCAPTCHA, Cloudflare CAPTCHA) to trick users into executing payloads: ‘fake BSOD screens, reCAPTCHA prompts, and Cloudflare CAPTCHA challenge pages.’
Indicators of Compromise
- [Smart contract / Wallet address ] ErrTraffic EtherHiding C2 resolution – 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 (Polygon), and other contracts created by this address.
- [Smart contract addresses used by ClearFake ] C2 and stage retrieval – 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e, 0xf4a32588b50a59a82fbA148d436081A48d80832A.
- [Domains / TLDs ] Beaconing and malicious hosting – example TLDs: .sbs, .cyou, .cfd, .icu (used by beacon domains and ErrTraffic infrastructure).
- [File names / paths ] WordPress backdoor artifacts – session-manager.php written to mu-plugin directory, and default loader path ‘api/css.js’.
- [API / RPC endpoints ] Backend and blockchain RPC usage – Polygon RPC hosts in CONTRACT_CONFIG.RPC_HOSTS, bsc-testnet.drpc[.]org and data-seed-prebsc-1-s1[.]bnbchain[.]org:8545 used by ClearFake.
- [URLs ] External lookups and reconnaissance – hxxps://ip-info.ff.avast[.]com/v2/info used to retrieve IP info during ClearFake execution.
- [Infrastructure / hosting ] Hosting clusters and ASNs – Omegatech LTD (AS202412) and Cloudflare (AS13335) are primary hosting clusters; BL Networks (AS399629) and Play2go (AS215439) also observed.
- [SSH fingerprint ] Unique server SSH key – ssh: 75:04:56:1b:27:35:f3:37:60:2e:9f:12:0b:c6:c9:e0 (associated with Omegatech-hosted IPs).