noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Board of Governors of the Federal[...]

The Hidden Costs of Disability
Board of Governors of the Federal[...]

Industrial Production vs. Goods GDP: Two Sides of the Same Coin
John W. Hickenlooper

Hickenlooper, Bennet Welcome Over $111 Million for Colorado[...]

Technology

ATEA ASA

01/10/2025 | Press release | Distributed by Public on 01/10/2025 06:49

Investigating a ClearFake/ClickFix + Etherhide campaign

IT-sikkerhet 10-01-2025

Investigating a ClearFake/ClickFix + Etherhide campaign

Since the middle of December Atea IRT has identified and tracked a new campaign utilizing ClearFake and EtherHiding technique. The campaign infects legitimate websites resulting in an information stealer.

In this post we'd like to share some of the findings from researching a new ClearFake campaign.

Image shows how infected website looks like to the victim

Summary

A threat actor is infecting legitimate WordPress sites with a malicious JavaScript that results in a fake reCAPTCHA prompting the user into running a command. Running this command leads to an infostealer, LummaC2.

The JavaScript on the infected site loads a malicious JavaScript stored in a Binance Smart Contract (BSC) from data-seed-prebsc-1-s1.bnbchain.orgon TCP port 8545. The JavaScript from the Binance Smart Contract is responsible for generating the fake reCAPTCHA and contains a malicious command injected into the victim clipboard. The script only executes if the victim is browsing the infected website from a Windows operating system.

Blocking the domain, data-seed-prebsc-1-s1.bnbchain.org,or restricting outbound traffic to non-standard HTTP/HTTPS ports will mitigate the threat.

Introduction

In mid-December, an incident was escalated to AteaIRT. EDR detected a possible information stealer execution. During the investigation it was quickly confirmed that this was something we`ve read about before, FakeCaptcha/ClearFake. Although it seemed similar to previous ClearFake campaigns, there were some differences.

The ClearFake and EtherHiding technique is not new. Cybersecurity researcher Randy McEoin wrote an excellent writeup on ClearFake Aug 6, 2023 (https://rmceoin.github.io/malware-analysis/2023/08/06/clearfake.html). Nati Tal and Oleg Zaytsev of Guardio Labs details EtherHiding in their write up from Oct 13, 2023 (https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16). Both was inspiration to dig a little deeper and try to understand this infection-chain.

ClearFake / EtherHiding 101

ClearFake is a method using social engineering to trick the user into running malicious commands.

Quoting Randy McEoin on the ClearFake naming:
"I'm calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation." Source: https://rmceoin.github.io/malware-analysis/2023/08/06/clearfake.html

EtherHiding is a technique used to host malicious code in a "smart contract" on the blockchain. Using this technique, the threat actor can centrally update all the infected websites by updating the content of the "smart contract". Guardio writes:

""EtherHiding" presents a novel twist on serving malicious code by utilizing Binance's Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting."Source: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16

Analysis

An overview of the infection chain leading to LummaC2 infostealer is visualized below.

Image shows the infection chain leading to LummaC2 infostealer.

During our investigation we did not dive into the LummaC2/infostealer part of the attack chain. Our research focused on the delivery and the loader stage leading up to LummaC2.

During our investigation of this infection chain, we found some differences from the other write-ups on ClearFake and EtherHiding campaigns. The major difference is

Smart contract loaded from the Binance Smart Chain test-network
Query to a secondary smart contract that tracks if user has run the malicious command

The BSC contract containing the malicious JavaScript was created 2024-Dec-08 10:13:07 PM UTC.

Investigating the infection chain

During our investigation of the EDR alert, we were unable to identify the website that lured the user into running the malicious "mshta.exe" command. But we were able to pivot on the data-seed-prebsc-1-s1.bnbchain.orgdomain to find additional samples to research.

Image shows the base64 encoded script added to the website

The image shows the injected JavaScript on an infected page.

At the time of writing, we can reliably identify over 800websites involved in this campaign by searching for the

Sharing and Personal Tools

Please select the service you want to use: