Picture perfect deception.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Ben Folland: ClickFix is a malware delivery technique. It's not sophisticated. It's very simple, and it typically involves just tricking the user to copying, pasting a malicious command.
Dave Bittner: That's Ben Folland, security operations analyst from Huntress. The research we're discussing today is titled "ClickFix Gets Creative: Malware Buried in Images." [ Music ]
Ben Folland: I noticed there was a specific campaign, a ClickFix campaign, and we started seeing certain indicators of compromise that would indicate it's the same campaign on multiple incidents. So this happened for a few days. I was doing my analysis, and I was doing the investigation, and we observed that the ClickFix campaign started with a user being instructed to copy and paste a malicious command, and it was encoded with a hex, a hex-encoded IP address. We did this investigation and did some malware analysis, and we realized -- and this is what made the campaign interesting, is the malware leveraged a technique called steganography. And it hide it -- it hid malicious payloads, the actual final core info-stealing malware payload within a benign PNG image. And only during the malware's execution chain did the image get extracted, and the malware forensically pulled from the image and then ran dynamically. And so the steganography in the campaign made it really interesting, as this is something we don't often see, and it's an interesting evasion technique, a way of hiding the malicious code within a benign image.
Dave Bittner: Yeah, and you mentioned -- certainly, I think of image formats as being benign, but this use of steganography shows that that's not always the case.
Ben Folland: Yeah, exactly. And if you were to even analyze the image yourself or inspect it, it would look benign. If you didn't have the context in which the malware was unpacking it and unraveling it, it is really hard to extract what is actually going on and extract that malicious code. And this is why it's so effective. You can have malware embedded with images, and they can be written to disk, and antivirus can scan them all they want, but they won't be able to identify the hidden payload inside the image because the method in which the malware is extracted using steganography, it's really hard for antiviruses to automatically detect that.
Dave Bittner: Well, the research describes two versions of the lure here. The robot verification page, and there's a fake Windows update screen. Can you describe to us how are these different and what makes the update-themed lure so convincing?
Ben Folland: Yeah, of course. So when we've got ClickFix campaigns, we've got two real core components. We've got the lure, and this is where we trick the user into actually copying or pasting and running a command. And then we've got the actual malware, and this is as a result of the command. And the lure is really the most important part. The lure is where you convince the user, or you trick the user, that they need to do something, they need to copy a command, or they need to maybe follow these steps in order to enter the website. So the first case was the robot verification, or this is more one of the traditional ClickFix fake CAPTCHA type lures that we've been seeing for the good part of a year now. This lure was, I believe, likely vibe-coded or AI-developed, and it didn't really look too genuine. However, we still see victims, and it still tricks people. This could be because they're going to a trusted website, maybe a website which is -- they visit often, and it's been compromised, and they're just getting a pop-up. And to somebody who works in tech or one of us in cybersecurity, it would maybe be obvious that this is suspicious or unexpected, but for most people or for all people, this is not the case. And especially with ClickFix, which is a new threat, which is something which has only been around for a few years, and it's not in everyone's security awareness training packages. We've got the Windows update lure, which we've been seeing only in the last few months. And this is very different to the traditional ClickFix lures, where you would visit the website, and you'd be given a fake CAPTCHA or some pop-up in order to access the website you were meant to be originally visiting. With the Windows update lure, when you visit the website, it will try trick you into thinking Windows has started an update sequence. And your browser will go into full screen, your mouse cursor will go hidden, you won't be able to see it, and you will see the blue Windows update screen. And it follows the sequence, and you'll wait for 30, 40 seconds, and then you're given the classic ClickFix instructions to press Control R or Windows key R on your keyboard. And that's to open the Windows Run box. And then the JavaScript in the background automatically copies to the clipboard a malicious command. And the lure instructs the user to paste the command into that Windows Run box and then press Enter. And a lot of users would do this. Their screen would go into full screen. They may not be able to get out of that. They wouldn't be able to see their cursor. So a lot of users wouldn't know what to do in this position. And they're unlikely to call up IT or ask for help when they've got some instructions right in front of them saying how they can potentially fix this issue. And this is why we saw it was so effective. And when the user presses Enter, and they run the command, at that point, seconds later, malware, info-stealing malware is running. It is looking throughout the computer, common places on disk for browser credentials. Maybe there's cryptocurrency wallets. Maybe there are sensitive files. And the info-stealing malware will look in all these places, and then it will exfiltrate it and steal it. And this data will be now in the hands of a criminal who can either sell it or use it.
Dave Bittner: We'll be right back. So it is a multi-stage execution chain, yes?
Ben Folland: Yes, it is. So when I say we've got this, it's two parts, right? There's the lure and then the malware. The malware execution chain is itself made up of four, five stages. So it starts off with the user, as I mentioned, being told to paste a command. And when they paste the command, there will be a mshta executable. This is Microsoft's HTML application. This is native to Windows. This is a signed binary. This is legitimate, and it won't trigger an antivirus detection. However, the context in which this mshta binary -- we call them "living off the land" because they're native to Windows, but they can be abused for malicious activity. Well, it will download an additional payload. And it will run this in memory, once again, avoiding disk, avoiding antivirus. And then this next payload will download a PowerShell script. And then the PowerShell script itself will decrypt and dynamically load some more code. And it sort of goes through this stage of going from one binary to another and decrypting some content until we've got this final stage where we've got a.NET binary. And inside the.NET binary, embedded within it, is a image. And this is where the steganography piece comes into it. Again -- and this is a PNG image, and the PNG images are made up of pixels, and each pixel has color information. We often refer to the color information RGB or RGBA. And if you looked at this particular PNG image and you only looked at the strength, the number representing the R pixel, and you did some operations with this, you did some exclusive OR bitwise operations, and you would eventually extract the shellcode. And the malware would do this. It would extract the shellcode and then inject it. And this happens instantaneously, basically, after a user presses Enter. However, it does take a while to unravel the campaign and go through each of the stages because the threat actors have put a lot of effort into obfuscating and using steganography. That is something we don't often see. And it's clear they wanted to make analysts like myself lives harder and -- by splitting up into so many different stages, and also make it harder for antivirus and other EDRs to detect by obfuscating it.
Dave Bittner: Well, your research mentions the payload. So you talk about things like LummaC2 and the Rhadamanthys stealer. What are the capabilities of these info-stealers?
Ben Folland: So, yeah, LummaC2 and Rhadamanthys, these are super well-known info-stealers. They are known as and sold as malware-as-a-service. So if you go on some of the dark web forums, you can buy sort of, I guess, licenses or access to LummaC2 and Rhadamanthys. And then, as a criminal -- as a cybercriminal, you can go out, and you can use this malware which you haven't developed yourself, but you're buying access to it. And then you can use this malware in these ClickFix campaigns. But these are both info-stealers. And to answer the question about the capabilities, they're both advanced info-stealers that can capture a very wide range of credentials. So if you're using any sort of common browser that you would use on Windows or on your machine, the credentials in the browser, if this info-stealer were run, may be exfiltrated. If you were using Outlook or maybe some of the common applications, once again, these would be pillaged. The malware would strategically go through disk, looking for common file paths which are hard-coded, where these credentials can be found. There is also interest in cryptocurrency, cryptocurrency wallets, and keys. LummaC2 can do an interesting capability. It can intercept clipboard information. So let's say you are doing a transaction, a crypto transaction on your computer. Lumma info-stealer can intercept the crypto wallets and the crypto keys as they're in the clipboard, and they can detect them in the clipboard as being these keys and exfiltrate them back to the threat actor, which is an interesting way of stealing this data. But both of these are both info-stealers. And recently, interestingly, both of these info-stealers have been involved in takedowns this year. Rhadamanthys, more recently. I think that was on the Operation Endgame, so a Europol takedown -- a coordinated law enforcement takedown of Rhadamanthys' infrastructure, which was great to see. However, LummaC2 also, there was a takedown back in May. I don't think these are going to stop them permanently. Infrastructure is going to be probably rebuilt over time, and we may see them resurface.
Dave Bittner: Who do you suppose is behind this? Is this a named threat actor?
Ben Folland: The threat actors go by the malware name, so LummaC2. That is like an account on the forums. They would advertise as that. I don't know the individual. They often advertise on Russian cybercrime forums, and they often advertise in Russian, which may suggest the identity, but I have no evidence to suggest that.
Dave Bittner: Yeah. How do you rate their sophistication here?
Ben Folland: So these are low -- we're talking about info-stealers, and these aren't zero-days. We're not talking about APTs or nation-state threats. These are info-stealers which are targeting organizations via fresh phishing or sort of opportunistic threats. So, as a whole, these aren't a super sophisticated threat, but they're a high-impact threat. Info-stealers as a whole are the most prolific malware we see in the wild. They're the most delivered. If you're going to have malware execution on the host, chances are it is an info-stealer.
Dave Bittner: Well, let's talk about defenses here. I mean, from a practical point of view, what should organizations be doing to protect themselves?
Ben Folland: That is a really, really good question. And there are a few good things organizations should be doing. And I really think most importantly is security awareness training that involves ClickFix and these fake CAPTCHA techniques. I mentioned before, everyone or most people who've worked in a corporate job have been through some security awareness training where they've been told about the phishing threats, and they've been told about the Nigerian princes. But most people aren't aware of what ClickFix is, and most people don't know that they should've just copy and paste and run random commands that they're told to on websites. This isn't a known malicious thing to most normal people. So security awareness training is really important. But as we all know, the same with phishing, right, it doesn't always work. And this is why we need to implement stronger mitigation. So this could be blocking the Windows Run box. You can do this via group policy. You could make a registry modification to stop the Windows Run box being able to pop up. And you can do the same with PowerShell. If I was a sysadmin and I was in a domain, I would use group policy and potentially lock it down to users who aren't in IT, because I don't know, there's bound to be one sysadmin which can -- complains about the Run box being disabled. But that is a great way you can control it. [ Music ]
Dave Bittner: Our thanks to Ben Folland from Huntress for joining us. The research is titled "The ClickFix Gets Creative: Malware Buried in Images." We'll have a link in the show notes. And that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]
