Fake CAPTCHA Pages

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.

Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.

"The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box," Google said in a report published today.

Cybersecurity

The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads -

  • UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
  • UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT

The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.

The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it's running within a virtualized environment and ultimately launches CORNFLAKE.V3.

Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.

"CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase," Mandiant researcher Marco Galli said. "Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types."

Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.

Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.

Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine.

Identity Security Risk Assessment

"To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible," Galli said. "Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3."

The Rise of ClicFix Kits

The use of ClickFix has soared in popularity among threat actors over the past year, as it dupes users into infected their machines under the pretext of helping the solve minor technical issues, completing CAPTCHA verification checks by impersonating Cloudflare Turnstile, or spoofing a Discord server supposedly needing to verify a user before they can join.

This, in turn, entails giving users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, Windows PowerShell, or macOS Terminal, depending on the operating system used.

"Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions," Microsoft said in a detailed write-up. "It's often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets."

The social engineering ploy has been embraced by numerous threat actors to deliver information stealers (Lumma Stealer), remote access trojans (Xworm, AsyncRAT, NetSupport RAT, and SectopRAT), malware loaders (Latrodectus and MintsLoader), rootkits (r77), and banking trojans (Lampion).

Microsoft said it has also observed several threat actors peddling configurable ClickFix builders (also called "Win + R") on popular cybercrime forums since late 2024 from anywhere $200 to $1,500 per month. Other offerings include one-time and piece-meal solutions, for example, the source code, landing page, or the command-line used to kick off the infection, for prices between $200 and $500.

"Some of these actors are bundling ClickFix builders into their existing kits that already generate various files such as LNK, JavaScript, and SVG files," the Windows maker said. "The kits offer creation of landing pages with a variety of available lures including Cloudflare."

"They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence."

To counter ClickFix-style attacks, it's advised that users are educated to identify social engineering attacks and be careful of what's being pasted in apps like Terminal or PowerShell. Organizations are recommended to consider using enterprise-managed browsers, block web pages from automatically running Flash plugins, and turn on safe attachments policies for incoming messages.

Other steps include -

USB Infection Drops XMRig Miner

The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.

"This demonstrates the continued effectiveness of initial access via infected USB drives," Mandiant said. "The low cost and ability to bypass network security make this technique a compelling option for attackers."

The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection -

  • DIRTYBULK, a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL
  • CUTFAIL, a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC
  • HIGHREPS, a downloader that retrieves additional files to ensure persistence of PUMPBENCH
  • PUMPBENCH, a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig
  • XMRig, an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin

"PUMPBENCH spreads by infecting USB drives," Mandiant said. "It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.