Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.
Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.
“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today.
The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads –
- UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
- UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT
The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.
The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3.
Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.
“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.”
Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.
Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.
Select versions of WINDYTWIST.SEA…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
