Termite Ransomware Tied to ClickFix CastleRAT Attacks
▼ Summary
– The Velvet Tempest threat group used a “ClickFix” social engineering technique and legitimate Windows tools to deploy DonutLoader malware and the CastleRAT backdoor.
– Researchers observed the group’s 12-day attack in an emulated U.S. non-profit organization’s environment, where they performed reconnaissance and harvested credentials.
– Velvet Tempest is a long-established ransomware affiliate linked to major strains like Ryuk, REvil, Conti, BlackCat/ALPHV, and LockBit.
– The attack chain began with a malvertising campaign leading to an obfuscated command, which triggered processes to fetch payloads and establish persistence.
– While known for double-extortion ransomware attacks, Velvet Tempest did not deploy their associated Termite ransomware in this observed intrusion.
A sophisticated cybercrime group known as Velvet Tempest has been observed deploying a complex attack chain that leverages social engineering and legitimate Windows tools to install dangerous malware. This campaign, analyzed by threat intelligence researchers, utilizes a method called ClickFix to trick users into initiating the infection themselves, ultimately aiming to deploy the CastleRAT backdoor and the DonutLoader malware.
The threat actors, also tracked as DEV-0504, have a long history as ransomware affiliates. Their past activities are linked to some of the most notorious ransomware families in recent years, including Ryuk, REvil, Conti, and BlackCat/ALPHV. In a recent incident monitored over twelve days in a simulated U.S. non-profit network, their tactics were laid bare. After gaining an initial foothold, the operators engaged in extensive manual reconnaissance. They explored the Active Directory, mapped the network environment, and used a custom PowerShell script to steal credentials stored in the Chrome browser, with the script’s hosting IP tied to previous Termite ransomware operations.
Initial access was achieved through a malicious advertising campaign. The attack began when users were redirected to a webpage displaying a fake error message alongside a CAPTCHA. This ClickFix lure instructed the victim to copy and paste a specific, obfuscated command directly into the Windows Run dialog box. This simple action by the user triggered the entire compromise. The command executed a series of nested processes, using the legitimate Windows `finger.exe` utility to fetch the first stage of malware, which was cleverly disguised as a PDF document.
Following this initial execution, the attackers employed PowerShell extensively to automate the next phases. They downloaded and ran scripts that pulled in additional payloads, compiled .NET components on the fly using the built-in `csc.exe` compiler, and set up Python-based tools for persistence within the system. The final payloads in this observed attack were the DonutLoader and the CastleRAT backdoor. CastleRAT is a powerful remote access trojan often distributed by the CastleLoader malware, a tool known for spreading information-stealers like LummaStealer.
While the Velvet Tempest group is typically associated with double-extortion ransomware attacks, where data is stolen before systems are encrypted, the researchers noted that the Termite ransomware payload itself was not deployed in this specific intrusion. Termite has been used in high-profile incidents against companies like Blue Yonder and Genea. This attack instead focused on establishing a persistent backdoor, potentially for later data theft or as a precursor to a ransomware deployment. The ClickFix technique is gaining popularity among various cybercriminal groups, with other gangs like Interlock also adopting this social engineering method to breach corporate defenses.
(Source: Bleeping Computer)