ClickFix Infostealer Attack Linked to Claude Code Installation

Post Views: 1

A Sophisticated Cyber Attack Utilizing SEO Poisoning and Clickjacking Social Engineering

R researchers at Cyderes have uncovered a sophisticated cyberattack campaign that leverages search engine optimization (SEO) poisoning and clickjacking social engineering tactics to deploy a .NET-based infostealer.

The “Claude Code install” Campaign

The campaign, dubbed “Claude Code install,” impersonates the installation process for a popular AI-powered coding tool and executes a series of evasive maneuvers to evade detection.

According to the researchers, the attack begins with a spoofed Claude Code installation page appearing at the top of search results for the search term “Claude Code install.” Victims are instructed to run a Windows MSHTA command to purportedly install the tool, which instead retrieves an MP3/HTA polyglot file from a remote server.

This file serves as a playable audio file but contains a malicious HTA script block that defeats file-type filtering defenses.

Evasion Techniques

Upon execution, the HTA script spawns cmd.exe through a scheduled task and invokes the 32-bit PowerShell binary to execute an additional script. The use of the 32-bit binary adds an extra layer of evasion, as endpoint detection and response (EDR) telemetry typically prioritizes the 64-bit process.

The base64-encoded script performs a Windows Antimalware Scan Interface (AMSI) bypass by patching System.Management.Automation.AmsiUtils.amsiInitFailed in memory. It then decrypts RC4-encrypted string constants using a hardcoded key and fingerprints the victim machine to generate a unique subdomain using an MD5 hash of the victim’s computer name and username.

The response from the unique subdomain is executed in memory using the same 32-bit PowerShell process and consists of a heavily obfuscated 17 MB script designed to burden analysis through a combination of integer-encoded byte arrays, multi-layer string fragmentation, dynamic reassignment of variable names, and three layers of encoding and encryption using base64, RC4, and XOR algorithms.

The final payload is a reflective .NET-based infostealer executed entirely via the PowerShell process, which targets browser credentials and exfiltrates them to a Russia-based command-and-control (C2) server. The only file written to the disk during the attack is the initial MP3/HTA polyglot.

Detection and Mitigation

Detecting and blocking the “Claude Code install” clickjacking campaign requires defenders to monitor for outbound HTTPS connections to external infrastructure originating from the mshta.exe process, which is unusual in normal business settings. Additionally, spawning a 32-bit PowerShell process from a scheduled task is rare and should be flagged as suspicious.

Cybersecurity experts note that the campaign’s use of multiple evasive maneuvers makes it challenging to detect, but defenders can take steps to mitigate the risk. The campaign’s reliance on clickjacking social engineering tactics also highlights the importance of educating users about potential threats and ensuring they are aware of the risks associated with clicking on unfamiliar links or installing software from unknown sources.

In conclusion, the “Claude Code install” campaign demonstrates the sophistication and adaptability of modern cyberattacks. As attackers continue to evolve their tactics, it is crucial for defenders to stay vigilant and implement effective measures to prevent and respond to these types of threats.