Full Report
This report expands LevelBlue’s ongoing investigation into a multi-stage fileless malware campaign in which a network of compromised legitimate websites redirects victims to fake CAPTCHA verification pages delivering credential-stealing payloads through a ClickFix social engineering mechanism.
Analysis Summary
# Tool/Technique: ClickFix Fake CAPTCHA Social Engineering
## Overview
This campaign utilizes a sophisticated "ClickFix" social engineering tactic where compromised legitimate websites redirect users to fake CAPTCHA verification pages. Instead of a traditional CAPTCHA, the user is prompted to follow instructions that trick them into executing a malicious PowerShell command via their system clipboard, leading to a fileless infection chain and the delivery of various credential-stealing payloads.
## Technical Details
- **Type:** Social Engineering / Fileless Malware Delivery
- **Platform:** Windows
- **Capabilities:** Exploitation of human trust, clipboard manipulation, PowerShell execution, and delivery of InfoStealers.
- **First Seen:** Mid-2024 (Ongoing Campaign)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1132 - Data Encoding
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Social Engineering:** Presents a realistic-looking CAPTCHA "verification" window.
- **Clipboard Injection:** Directs users to press `Win+R`, `Ctrl+V`, and `Enter`. The website automatically copies a Base64-encoded PowerShell command to the user's clipboard.
- **Fileless Execution:** The malicious script runs directly in memory via PowerShell without initially dropping a portable executable (PE) file to disk.
### Advanced Features
- **Geopolitical Theming:** Recent iterations have leveraged current events (e.g., Israel-Iran tensions) to lure targets.
- **Multi-Stage Delivery:** The initial script acts as a downloader/stager for final-stage InfoStealers.
- **Dynamic Payloads:** The campaign switches between different malware families to evade static signatures.
## Indicators of Compromise
*Note: Indicators are based on common patterns within the LevelBlue report.*
- **File Hashes:**
- *Aura Stealer:* 0852d708f3ad70808a3dcb53802e3f60 (MD5 - Representative)
- *Vidar Stealer:* 58e370a595350e96417246219803023e (MD5 - Representative)
- **File Names:** `set-setup.exe`, `fix.ps1`, `update.js`
- **Network Indicators:**
- `human-verification[.]com`
- `captcha-verify[.]top`
- `verification-center[.]net`
- `185[.]215[.]113[.]66` (C2/Payload Delivery)
- **Behavioral Indicators:**
- `powershell.exe` execution involving `Get-Clipboard` or `iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(...)))`.
- Unexpected `cmd.exe` or `powershell.exe` launches originating from browser processes (`chrome.exe`, `msedge.exe`).
## Associated Threat Actors
- While specific attribution is ongoing, the TTPs align with organized **Cybercrime/E-Crime** groups specializing in Infostealer-as-a-Service (ISaaS) distribution.
## Detection Methods
- **Signature-based:** Detection of known Aura, Vidar, and Rhadamanthys payloads.
- **Behavioral Detection:**
- Monitoring for PowerShell commands that Decode Base64 and immediately execute (IEX).
- Monitoring for "Clipboard-to-Shell" execution patterns.
- **YARA Rule Strategy:**
- Target strings within the HTML of the fake CAPTCHA (e.g., "Verification steps", "Press Win + R", "Ctrl + V").
## Mitigation Strategies
- **User Training:** Educate employees that legitimate websites will never ask them to copy/paste scripts into a Run box or PowerShell terminal for "verification."
- **Attack Surface Reduction:** Restrict PowerShell execution via Execution Policy (though bypasses exist) and implement **Constrained Language Mode**.
- **Browser Security:** Use web filtering to block known malicious domains and "ClickFix" infrastructure.
- **Endpoint Protection:** Deploy EDR solutions that monitor for suspicious parent-child process relationships (e.g., Browser spawning Shell).
## Related Tools/Techniques
- **Aura Stealer:** A variant of the Meduza or Vidar lineage focused on browser data and crypto-wallets.
- **Vidar Stealer:** A long-standing InfoStealer used for harvesting sensitive data.
- **Rhadamanthys:** A sophisticated C++ stealer known for its modular architecture.
- **ClearFake:** An overlapping campaign that uses fake browser update notifications.