ClickFix Campaigns Delivering PureRAT
This month, we have observed a sophisticated multi-stage campaign leveraging "ClickFix" lures to deploy PureRAT (a fork of AsyncRAT) and CastleRAT. The attack chain begins with compromised websites presenting fake "fix" instructions, tricking victims into executing PowerShell commands directly from their clipboard.
Stage Analysis: The initial execution retrieves a second-stage PowerShell script that performs reconnaissance and sideloads malicious DLLs via legitimate applications like VLC Media Player. The final payload communicates with C2 infrastructure often hidden behind 504 gateway error banners. The ultimate goal appears to be credential theft for downstream attacks, including WhatsApp-based booking.com phishing.
Community Detection Opportunities
// Detects PowerShell execution initiated by Explorer (Clipboard paste method) // Common in ClickFix campaigns where users are tricked into pasting commands DeviceProcessEvents | where FileName =~ "powershell.exe" | where InitiatingProcessFileName =~ "explorer.exe" | where ProcessCommandLine contains "hidden" and ProcessCommandLine contains "enc" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
// Detects VLC Media Player loading a suspicious dll from a non-standard directory
// Attackers place a malicious libvlc.dll in a temp folder to be loaded by legitimate vlc.exe
DeviceImageLoadEvents
| where FileName =~ "libvlc.dll"
| where InitiatingProcessFileName =~ "vlc.exe"
| where not(FolderPath has_any ("Program Files", "VideoLAN"))
| project TimeGenerated, DeviceName, FolderPath, SHA256rule BR_UNC_029_I_Paid_Twice_Downloader_Jan26
{
meta:
author = "Joshua Penny"
description = "Detects PowerShell Downloader used by BR_UNC_029 in 'I Paid Twice' campaign"
target_entity = "PowerShell file"
strings:
$var1 = "user="
$var2 = "pc="
$var3 = "cwd="
$var4 = "osver="
$var5 = "osname="
$var6 = "pcmodel="
$var7 = "pcmanuf="
$var8 = "psv="
$var9 = "admin=$is_admin"
$var10 = "$unique_id ="
$var11 = "$username ="
$var12 = "$computer_name ="
$var13 = "$os_name ="
$var14 = "$os_version ="
$var15 = "$computer_system ="
$var16 = "$pc_model ="
$var17 = "$pc_manufacturer ="
$var18 = "$powershell_version ="
$var19 = "$is_admin ="
$var20 = "$antivirus_info ="
condition:
12 of them
}Bridewell CSIRT Detection Rules & Analytics
The following detection content was generated through our managed threat intelligence, threat hunting, and detection and response (MDR) services. The content automatically protects our customers from known and emerging threats.
| Detection Analytic Concept | Category |
|---|---|
| KQL_ClickFix_ClipboardExecution | Initial Access |
| KQL_Shortcut_LNK_Creation_Suspicious | Persistence |
| KQL_Registry_RunKey_Creation | Persistence |
| KQL_VLC_DLL_Sideloading_TempDir | Defense Evasion |
| KQL_AddInProcess32_Outbound_Connection | C2 Communication / Defense Evasion |
| KQL_AddInProcess32_RootCert_Access | Defense Evasion |
| KQL_MSHTA_Execution | Defense Evasion |
| KQL_ZIP_File_Download_Url_Pattern | Execution |
| Infra_PureRAT_C2_Port_7705 | Infrastructure Hunting |
| YARA_PowerShell_Downloader_PureRAT | Execution |
