TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ClickFix Removes Your Background but Leaves the Malware

6 days ago · Read original ↗

ATT&CK techniques detected

22 predictions
T1055.001Dynamic-link Library Injection
99%
“are djb2 - hashed using the same algorithm and peb walk as shellcode # 1. figure 7 : the reflective loader ' s main routine on the left, with the imports - resolver it calls expanded on the right. each import descriptor ' s dll is loaded with loadlibrarya and each function with g…”
T1055.012Process Hollowing
99%
“the stealer also ships with a process hollowing primitive aimed at powershell. the strings reveal a dynamic resolver for the standard hollowing api set, such as ntallocatevirtualmemory, ntwritevirtualmemory, ntcreatesection, ntmapviewofsection, ntunmapviewofsection, ntcreatethrea…”
T1555.003Credentials from Web Browsers
99%
“. indexeddb. leveldb paths ( that ' s the wallet - extension grab ). metamask, phantom, trust wallet, ronin, and similar wallets all keep their encrypted vaults in indexeddb, which is where crypto - wallet credentials come from. firefox gets enumerated via profiles. ini. discord …”
T1055.012Process Hollowing
98%
“path below instead of the more common unmapviewoffile. if allocation at the preferred base fails because something else is mapped there, and the embedded pe has no relocations to fall back on, the loader calls ntunmapviewofsection to evict whatever is sitting at 0x400000 and retr…”
T1055.001Dynamic-link Library Injection
98%
“is the first node in the loader ' s module list, which by convention is always the main process exe - here, python. exe. after the writes, both peb. imagebaseaddress and the first module entry ' s dllbase point at the embedded pe inside python. exe ' s memory. nothing has been in…”
T1055.012Process Hollowing
96%
“bypass app - bound encryption. this build implements only the legacy dpapi - then - aes extraction path. restart manager for locked files one implementation detail worth highlighting : the stealer imports rmstartsession, rmregisterresources, rmgetlist, and rmendsession from rstrt…”
T1614.001System Language Discovery
95%
“check. the mui languages list pulled from the win32 _ operatingsystem wmi class is compared against the literal “ ru - ru ”, and if any installed ui language matches, execution returns immediately. that is a standard cis - skip behavior, it won ' t run on machines reporting russi…”
T1055.001Dynamic-link Library Injection
94%
“rewrite fixes that, so the embedded pe can find itself in memory the same way any normal exe does. jumping to the entry point isn ' t anything fancy. the pe ' s optional header has an addressofentrypoint field which is an rva ( an offset from the image base ) - 0x22682 for our em…”
T1573.001Symmetric Cryptography
93%
“, so it gets reused : bytes 1 - 4 of the scrambled string get xored against the key, then bytes 5 - 8 against the same key again, and so on. the result is the real string. most of the operationally interesting strings, such as field names, install paths, header names, use this pa…”
T1053.005Scheduled Task
82%
“scheduled task on next login. the second task is in - memory only - empty install _ path, launch method 7 for apc injection, fetching net40. bin and injecting the resulting. net binary into a target process without ever touching disk and without any persistence. both tasks set us…”
T1059.001PowerShell
81%
“##hots : 1 set, a screenshots container is appended carrying the captured desktop image as a raw binary blob. for task 11 from the response above ( the netsupport drop ), the bot ' s status callback decrypts to : the launch _ method field is the single most important field on a t…”
T1055.001Dynamic-link Library Injection
77%
“buffer " is a pattern that probably every edr watches for. “ process calls replacetextw ” looks like a program opening a dialog box and gets no attention. the payload runs, but from windows ' perspective, it was doing a perfectly normal thing. shellcode # 2 - reflective pe loader…”
T1555.003Credentials from Web Browsers
77%
“) to 1. - finger. exe is the entry point in this chain. practically nobody outside of niche unix - interop scenarios uses it on modern windows. block outbound tcp port 79 at the network egress. that ' s the port finger. exe uses to reach its daemon, and there ' s effectively zero…”
T1055.012Process Hollowing
75%
“bot reporting back on a few tasks with screenshots enabled produces sustained 5mb + posts that look nothing like normal beacon traffic. then there ' s the fact that this build ' s launch _ method : 4 decodes to regsrv32. exe instead of regsvr32. exe. whoever wrote it swapped two …”
T1055.001Dynamic-link Library Injection
65%
“##w structure on the stack with fr _ enablehook set in flags and lpfnhook pointing at the start of the decrypted payload : the entry routine of the shellcode calls a helper that checks for a locally - configured payload. it first calls findfirstfilew ( " *. ini ",... ) in the cur…”
T1095Non-Application Layer Protocol
62%
“0. 1 & del " < path > ". the unreachable 1. 0. 0. 1 ( not 127. 0. 0. 1 ) makes ping time out for several seconds, which gives the parent process time to fully exit before del tries to remove the file. c2 communications the traffic to 38. 146. 28 [. ] 30 : 22989 runs over a raw tc…”
T1204.004Malicious Copy and Paste
61%
“clickfix removes your background but leaves the malware acknowledgments : special thanks to sarah reddish for her contributions to this investigation and write - up. background figure 1 : malicious site you probably already have a go - to tool for removing the background from you…”
T1055.001Dynamic-link Library Injection
47%
“header itself as the key - the same pattern used for the web payload, just with a longer key. the launch then branches on whether the ini also specified an install _ path value : if so, the helper builds a msiexec. exe / i “ % s ” command line and hands it to shellexecutew ; if n…”
T1053.005Scheduled Task
41%
“##son. the loader parses each task field - by - field by name, populates a task struct in memory, and dispatches to the appropriate launcher. here ' s what one of the captured get _ tasks requests looks like after decryption : the c2 response decrypts to a settings block plus an …”
T1573.001Symmetric Cryptography
40%
“( 0x54 for the outer object, 0x12 for length - prefixed strings, 0x51 for byte - arrays, etc. ). the server responds with another static - key - encrypted message whose first field is a 32 - byte byte - array, the aes - 256 session key for the rest of the conversation. all subseq…”
T1547.001Registry Run Keys / Startup Folder
40%
“do by hand? netsupport gives you the desktop, the keyboard, and the file system and stealer gives you a faster credential dump. detections recommendation the clickfix chain in this writeup looks intimidating in the analysis, but every stage relies on a small number of windows beh…”
T1071.001Web Protocols
36%
“url : get < base _ url > / < campaign _ uuid >. on every check - in ( a post ), the url drops back to just the base and the uuid is sent inside the encrypted body as the campaign _ identifier field instead. the auth token shows up as the http user - agent and as the body field ac…”

Summary

Your background is gone, but malware is here. Huntress breaks down BackgroundFix, a new ClickFix social engineering tactic involving CastleLoader, NetSupport RAT, and CastleStealer. Read the analysis.