ClickFix and CORNFLAKE.V3 Backdoor
Threat actors actively leverage the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.
Google-owned Mandiant describes the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems. Other threat groups then monetize this access.
“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google states in a report published today.
The access provided by UNC5518 allows at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads:
- UNC5774: This financially motivated group delivers CORNFLAKE as a means to deploy various subsequent payloads.
- UNC4108: This threat actor, with unknown motivation, uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT.
Fake CAPTCHAs
The attack chain likely begins when the victim lands on a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.
Next, the user gets tricked into running a malicious PowerShell command by launching the Windows Run dialog, which executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it runs within a virtualized environment and ultimately launches CORNFLAKE.V3.
Observed in both JavaScript and PHP versions, CORNFLAKE.V3 serves as a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. Additionally, it collects basic system information and transmits it to an external server. The traffic proxies through Cloudflare tunnels to avoid detection.
“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli explains. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key and supports additional payload types.”
Both generations differ markedly from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.
Persistence on the host occurs through Windows Registry changes. CORNFLAKE.V3 delivers at least three different payloads, including an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA. This C version of WINDYTWIST supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.
Select versions of WINDYTWIST.SEA also attempt to move laterally within the network of the infected machine.
“To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli advises. “Regular simulation exercises prove crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems remain essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.”
USB Infection Drops XMRig Miner
The disclosure comes as the threat intelligence firm details an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.
“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant states. “The low cost and ability to bypass network security make this technique a compelling option for attackers.”
The attack chain begins when a victim gets tricked into executing a Windows shortcut (LNK) on the compromised USB drive. The LNK file triggers the execution of a Visual Basic script located in the same folder. This script, in turn, launches a batch script to initiate the infection:
- DIRTYBULK: A C++ DLL launcher that initiates the execution of other malicious components, such as CUTFAIL.
- CUTFAIL: A C++ malware dropper responsible for decrypting and installing malware onto a system, including HIGHREPS and PUMPBENCH, as well as third-party libraries like OpenSSL, libcurl, and WinPthreadGC.
- HIGHREPS: A downloader that retrieves additional files to ensure the persistence of PUMPBENCH.
- PUMPBENCH: A C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and downloads XMRig.
- XMRig: An open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin.
“PUMPBENCH spreads by infecting USB drives,” Mandiant explains. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.”
Source: TheHackerNews
Read more at Impreza News
