Full Report
The fake human verification process led to infostealer and ransomware infections
Analysis Summary
# Tool/Technique: ClickFix Campaign Mechanism
## Overview
'ClickFix' is an increasingly common tactic leveraged by threat actors to trick victims into performing actions that result in the download and execution of malicious software, typically an infostealer or Remote Access Trojan (RAT). It relies on a deceptive human verification process. In the observed incident, this mechanism was used to deploy NetSupport Manager, which subsequently led to StealC V2 and Qilin ransomware infections.
## Technical Details
- Type: Attack Technique/Infection Vector
- Platform: Windows (inferred from NetSupport Manager Client and usage of Batch files/Registry Run keys)
- Capabilities: Delivers initial access via forged human verification prompts, fetches and executes obfuscated scripts, downloads and executes staging payloads, and establishes persistence.
- First Seen: Ongoing evolution; the specific campaign observed delivering StealC/Qilin is tied to recent activity.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1189 - Drive-by Compromise
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less direct, but the deceptive nature aims for user interaction similar to a lure)
- TA0002 - Execution
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Used via batch files)
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
## Functionality
### Core Capabilities
1. **Initial Lure:** Embeds a malicious script onto a legitimate but compromised domain (e.g., `aquafestonline[.]com`).
2. **Obfuscated Script Fetching:** Retrieves a heavily obfuscated external JavaScript file (e.g., `d.js` from `islonline[.]org`).
3. **Environment Fingerprinting:** The script fingerprints the user's OS and browser type.
4. **Tracking Mechanism:** Creates a unique eight-character alphanumeric string for tracking, limiting attacks to one per 24-hour period.
5. **Dynamic Content Loading:** Creates an invisible, full-screen iframe overlay to load a PHP file (e.g., from `yungask[.]com`) which dynamically generates the visible ClickFix verification page.
6. **Payload Delivery:** Upon "successful" user verification, downloads a batch file (`jh.bat`) containing NetSupport Manager Client files.
7. **Staging and Execution:** Executes `jh.bat`, which retrieves, extracts (to `C:\ProgramData\Disy`), and runs the NetSupport Manager client (`client32.exe`).
8. **Persistence:** Establishes persistence by creating a Windows Registry Run key.
### Advanced Features
- Use of legitimate web assets (compromised domain) for initial hosting.
- Multi-stage delivery involving obfuscated JS, PHP processing, and a batch file payload deployment.
- Utilizes a legitimate Remote Access Tool (NetSupport Manager) as a staging/initial foothold.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the summarized text]
- File Names:
- `jh.bat` (Initial dropper/installer script)
- `loy.zip` (Staged configuration archive)
- `client32.exe` (NetSupport Manager Client)
- `mfpmp.exe` (Legitimate Microsoft file used for DLL sideloading)
- `rtworkq.dll` (Malicious DLL, stealer payload component)
- `README-RECOVER-ID-__.txt` (Qilin Ransom Note suffix)
- Registry Keys: Registry Run key created for NetSupport persistence.
- Network Indicators:
- Initial script source: `islonline[.]org` (defanged)
- Iframe content source: `yungask[.]com/work/index.php` (defanged)
- Batch file download source: `2beinflow[.]com/head.php` (defanged)
- NetSupport C2: `94[.]158[.]245[.]13` (defanged)
- Behavioral Indicators: Execution of batch files from `%ProgramData%`, execution of `client32.exe`, network connections from NetSupport to external C2, subsequent downloads of ZIP archives containing binaries used for sideloading.
## Associated Threat Actors
- Threat actors utilizing **StealC V2** and **Qilin Ransomware** were observed leveraging this ClickFix chain.
## Detection Methods
- Signature-based detection: Signatures for file hashes of the delivered malware (StealC V2, Qilin components).
- Behavioral detection: Monitoring for dynamic script execution from obfuscated sources, suspicious batch file execution from user-writable directories, unexpected execution of NetSupport Manager, and DLL sideloading via legitimate executables like `mfpmp.exe`.
- YARA rules: Potentially applicable to the obfuscated JavaScript or the final DLL payloads.
## Mitigation Strategies
- Prevention measures: Implementing web filtering to block domains used for hosting scripts/C2 (e.g., `islonline[.]org`, `yungask[.]com`).
- Hardening recommendations: Disabling or heavily restricting Autorun/Persistence mechanisms, rigorous application control to prevent execution from `%ProgramData%`, comprehensive endpoint detection and response (EDR) for monitoring dynamic library loading and unauthorized remote tool usage.
- User Training: Educating users to suspect and avoid deceptive "human verification" prompts on websites.
## Related Tools/Techniques
- **StealC V2:** Infostealer deployed via DLL sideloading.
- **Qilin Ransomware:** Deployed approximately one month after the initial infostealer infection.
- **NetSupport Manager (RAT):** Used as the intermediate access mechanism/foothold.
***
# Tool/Technique: StealC V2
## Overview
StealC V2 is an advanced version of the StealC information stealer malware, significantly upgraded from its first iteration released in 2023. It is designed to silently exfiltrate sensitive data from compromised systems.
## Technical Details
- Type: Malware Family (Infostealer)
- Platform: Windows
- Capabilities: Information theft, stealthy execution via DLL sideloading, enhanced versatility compared to V1.
- First Seen: V2 released around March 2025.
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1555 - Credentials from Network and Local Systems
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0005 - Defense Evasion
- T1553.006 - DLL Search Order Hijacking (Inferred via sideloading mechanism)
## Functionality
### Core Capabilities
- Acquisition of sensitive information (credentials, digital assets) from the victim environment.
### Advanced Features
- Significant stealth and versatility upgrades over the initial release.
- Deployed using a DLL sideloading technique involving the legitimate Microsoft `mfpmp.exe` and a malicious DLL (`rtworkq.dll`).
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the summarized text]
- File Names: `rtworkq.dll` (Malicious component)
- Registry Keys: [Not explicitly provided]
- Network Indicators: Likely communicates with C2 servers to exfiltrate stolen data (C2 inferred from the NetSupport connection, but direct StealC exfiltration C2 is not stated).
- Behavioral Indicators: Loading of dynamic link libraries into legitimate Microsoft processes like `mfpmp.exe`.
## Associated Threat Actors
- Threat actors associated with the ClickFix campaign delivering Qilin.
## Detection Methods
- Detection of unauthorized DLL loading into trusted process memory.
- Signatures for the specific StealC V2 payload components.
## Mitigation Strategies
- Implementing execution prevention controls like AppLocker or WDAC.
- Utilizing security tooling capable of detecting DLL Sideloading activity.
## Related Tools/Techniques
- Qilin Ransomware (Deployed subsequently).
- NetSupport Manager (Initial access tool).
***
# Tool/Technique: Qilin Ransomware
## Overview
Qilin is a ransomware strain observed deployed approximately one month after an initial StealC infostealer infection in this attack chain. It encrypts files and leaves a ransom note.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Windows (Inferred)
- Capabilities: File encryption and extortion via ransom demands.
- First Seen: (Context implies recent evolution or continued use leading up to this incident observation).
## MITRE ATT&CK Mapping
- TA0011 - Collection (Often precedes encryption, potentially leveraging prior data theft/extortion)
- TA0012 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Deploying ransom notes with a unique identifier.
### Advanced Features
- [Details regarding specific Qilin encryption methods or data exfiltration related to double extortion were not detailed in the provided summary excerpt.]
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the summarized text]
- File Names: `README-RECOVER-ID-___.txt` (Ransom Note template)
- Registry Keys: [Not explicitly provided]
- Network Indicators: [Not explicitly provided]
- Behavioral Indicators: Dropping of specific ransom notes across the network.
## Associated Threat Actors
- Threat actors utilizing StealC who progress to deploying ransomware.
## Detection Methods
- Detection of specific Qilin ransom note filenames.
- Detection/blocking of the ransomware executable/payload.
## Mitigation Strategies
- Regular, immutable backups.
- Network segmentation to limit lateral movement post-initial access.
## Related Tools/Techniques
- StealC V2 (Used as pre-cursor/staging payload).
***
# Tool/Technique: NetSupport Manager (Used as Remote Access Trojan)
## Overview
NetSupport Manager is a legitimate remote administration tool frequently abused by threat actors to gain persistent, interactive remote access to victim systems, functioning as a Remote Access Trojan (RAT) in this context.
## Technical Details
- Type: Tool / Abused Legitimate Software
- Platform: Windows
- Capabilities: Remote control, file transfer, system management functions, establishing C2 communication.
- First Seen: N/A (Legitimate tool); Abuse observed throughout the lifecycle of Ransomware-as-a-Service operations.
## MITRE ATT&CK Mapping
- TA0010 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Likely communicates over HTTP/S on port 443).
- TA0004 - Privilege Escalation (Depending on deployment method)
## Functionality
### Core Capabilities
- Remote command execution and system interaction.
- Establishing persistence via registry keys.
### Advanced Features
- Communication established with a dedicated C2 server (Observed IP: `94[.]158[.]245[.]13`).
- C2 server was observed exposing additional administrative ports (RDP 3389, WinRM 5986).
## Indicators of Compromise
- File Hashes: [Not explicitly provided for the downloaded client files]
- File Names: `client32.exe` (NetSupport Manager Client)
- Registry Keys: Registry Run key created for persistence.
- Network Indicators: Connection to C2 server `94[.]158[.]245[.]13` on ports 443, 3389, 5986 (defanged).
- Behavioral Indicators: Execution of `client32.exe` and network beaconing to the identified C2 IP.
## Associated Threat Actors
- Threat actors deploying StealC and Qilin.
## Detection Methods
- Behavioral detection for legitimate Remote Access Tools executing outside of approved administrative channels.
- Network level detection for traffic to the known malicious C2 IP.
## Mitigation Strategies
- Restricting the installation and execution of remote administration tools via Application Whitelisting/Control policy.
- Strict firewall rules limiting outbound connections from standard user environments to administrative ports (3389, 5986).
## Related Tools/Techniques
- ClickFix mechanism (Used to deliver the tool).