Now, even Russia's most elite hackers are using Clickfix to infect devices - Ars Technica
Skip to content
AI
Biz & IT
Cars
Culture
Gaming
Health
Policy
Science
Security
Space
Tech
Forum
Subscribe
Story text
Size
Small<br>Standard<br>Large
Width
Standard<br>Wide
Links
Standard<br>Orange
* Subscribers only
Learn more
Pin to story
Theme
Search
Sign In
Sign in dialog...
Text<br>settings
Story text
Size
Small<br>Standard<br>Large
Width
Standard<br>Wide
Links
Standard<br>Orange
* Subscribers only
Learn more
Minimize to nav
One of the Russian government’s most elite hacking groups has adopted an attack, known as Clickfix, to compromise devices belonging to sensitive organizations in Ukraine, the latter country’s CERT center is warning.
Clickfix has emerged as an effective attack technique that attackers, primarily financially motivated criminals, began using in the last year or so. Websites under the control of the attackers display a CAPTCHA that requires the visitor to copy a jumble of text and paste it into the terminal. The text contains scripts that, once entered, perform malicious actions, typically by installing malware or exfiltrating sensitive data. Ukraine’s CERT said Wednesday that Sandworm, an advanced hacking unit inside the GRU, Russia’s military intelligence arm, is now using the technique.
“GhettoVibe,” “ScoutCurl,” and many more
The Clickfix attacks began in the spring and have continued through the summer. The campaign has resulted in the network compromise of at least one organization when a connected device was found to be infected by FreakyPoll, the name of one of Sandworm’s custom malware packages. Ukrainian authorities discovered 10 compromised websites that displayed a PowerShell command as part of a fake CAPTCHA that said it had to be passed to ensure a real human was behind the visiting device’s keyboard.
Once the user entered the script, it could install malicious Visual Basic scripts and other malicious wares that went on to install a variety of Sandworm malware. Typically, the first malware to run was a reconnaissance program that gathered information from the infected device. Machines deemed important would then receive follow-on malware that backdoored the system.
“The command, as an example, could be intended to load and save a VBS file in the Startup directory,” a translated version of Tuesday’s advisory stated. “One of the variants of such a program was called GHETTOVIBE. At the next stage, in order to determine the importance of the cyberattack object, the SCOUTCURL software tool can be loaded onto the attacked computer, which is a PowerShell script that performs basic reconnaissance by collecting and exfiltrating information about the computer: basic characteristics, programs, files, Internet browser data, etc.”
FreakyPoll is a Python script that backdoors devices. Other malware used in the campaign includes FluidLeech, which is disguised as an antivirus program, and LoadLoop. The advisory continued:
During June-July, CERT-UA analyzed in detail the method of implementing ClickFix on more than ten compromised web resources. It was found that in addition to using the standard functionality of the Cloaking.House service, which allows you to filter traffic and, under certain conditions, display a third-party (remote) HTML page to the visitor, form an iframe or redirect to another resource, the attackers use a separate program code, SMARTAXE, which also allows you to change the content of the web page for the visitor (in particular, display a CAPTCHA), but by dynamically obtaining the domain name of the remote resource from the smart contract (call “eth_call”) using the contract address and function selector specified in the code.
CERT-UA cataloged several other attack techniques Sandworm has been using. One backdoors Android devices using lures designed to entice targets to install apps. Tracked as CowardDuck, it assembles potentially sensitive files and sends them to an attacker-controlled server.
Previously, Sandworm primarily infected devices by seeding Torrent trackers with links to pirated software that had been booby-trapped. In other cases, the hacking group engaged targets in extended conversations over Signal. Eventually, the attacker would entice the target to install malware disguised as security software.
The advisory concluded by calling on website system administrators and hosting providers to monitor for web shells, unauthorized extensions, and other signs of compromise.
Dan Goodin
Senior Security Editor
Dan Goodin
Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
11 Comments
Comments
Forum...