AI & TechBigTech CompaniesCybersecurityNewswireTechnology

Russia’s elite hackers now use Clickfix to infect devices

▼ Summary

– Russia’s elite GRU hacking unit Sandworm is using the Clickfix attack technique to compromise devices of sensitive Ukrainian organizations.
– Clickfix tricks users into copying text from a fake CAPTCHA and pasting it into a terminal, which executes malicious scripts.
– The campaign, active since spring 2024, has compromised at least one organization with the custom malware FreakyPoll.
– Ukrainian authorities identified 10 compromised websites hosting fake CAPTCHAs that deliver PowerShell commands.
– The attack first deploys reconnaissance malware like SCOUTCURL to assess device importance, then installs backdoors on high-value targets.

One of Russia’s most sophisticated state-sponsored hacking units has begun weaponizing a technique called Clickfix to infiltrate devices within sensitive Ukrainian organizations, according to a fresh warning from Ukraine’s CERT center.

Clickfix first emerged roughly a year ago as a favored tactic among financially motivated cybercriminals. The method works by tricking visitors into solving a CAPTCHA on a compromised website, then copying and pasting a string of text into their own terminal. That text harbors scripts that, once executed, can install malware or steal sensitive data. Now, Ukraine’s CERT reports that Sandworm, an elite hacking team operating under Russia’s GRU military intelligence agency, has adopted this approach.

The campaign, which began in the spring and stretched into the summer, has already compromised at least one organization. Investigators discovered that a connected device was infected with FreakyPoll, a custom malware package used by Sandworm. Ukrainian authorities identified ten websites under the group’s control that displayed a fake CAPTCHA, instructing users to run a PowerShell command to prove they were human.

Once the victim entered the script, it triggered the installation of malicious Visual Basic scripts and other tools. The first payload was typically a reconnaissance program that collected system information. For machines deemed high-value, follow-on malware was deployed to create a persistent backdoor.

“The command, as an example, could be intended to load and save a VBS file in the Startup directory,” the translated advisory from Tuesday stated. “One of the variants of such a program was called GHETTOVIBE. At the next stage, in order to determine the importance of the cyberattack object, the SCOUTCURL software tool can be loaded onto the attacked computer, which is a PowerShell script that performs basic reconnaissance by collecting and exfiltrating information about the computer: basic characteristics, programs, files, Internet browser data, etc.”

(Source: Ars Technica)

Topics

russian hacking group 95% clickfix attack technique 93% ukraine cyber attacks 92% sandworm malware 90% cert ukraine warning 88% fake captcha 87% powershell scripts 85% network compromise 83% reconnaissance malware 82% financially motivated criminals 80%