ClickFix Malware Campaign: Fake Cloudflare Check Silently Installs MIMICRAT

General
1

ClickFix Malware Campaign: Fake Cloudflare Check Silently Installs MIMICRAT Stealer

Cybersecurity researchers at CYFIRMA have uncovered a sophisticated malware campaign dubbed “ClickFix,” which employs a deceptive fake Cloudflare verification page to covertly deploy the MIMICRAT information stealer. Active since at least May 2024, this operation primarily targets users in Southeast Asia but shows signs of global expansion. Attackers leverage the trusted Cloudflare brand to lure victims into interacting with a seemingly legitimate browser check, bypassing user awareness and installing persistent malware without detection.

The Deceptive Delivery Mechanism

The campaign begins with phishing links distributed via spam emails, malicious ads, or compromised websites. Victims landing on the attack page encounter a counterfeit Cloudflare “Checking your browser” screen, complete with authentic-looking branding, loading spinners, and JavaScript animations mimicking the real service. A prominent “Continue to site” or “Click to continue” button prompts user engagement.

Upon clicking, the page executes heavily obfuscated JavaScript code. This script performs several evasion techniques, including anti-debugging checks and dynamic payload fetching. It first retrieves an additional HTML file from a compromised content delivery network (CDN) or file-sharing service like Dropbox. This secondary payload contains further obfuscated code that decodes and launches the primary executable.

The infection chain culminates in the silent download and execution of MIMICRAT, a modular information stealer. The malware employs process hollowing via RunPE (Run Portable Executable) techniques to inject itself into legitimate system processes such as explorer.exe or svchost.exe. This hollowing method replaces the memory contents of a running process with malicious code, evading traditional antivirus scans by masquerading as benign activity.

Deep Dive into MIMICRAT’s Capabilities

MIMICRAT, first observed in 2022, is a feature-rich stealer designed for maximum data exfiltration. Once injected, it enumerates and targets a wide array of victim assets:

  • Browser Data Theft: Extracts credentials, cookies, autofill data, and browsing history from Chromium-based browsers (Chrome, Edge, Brave) and Firefox. It decrypts login data stored in SQLite databases, focusing on high-value accounts like banking and email services.

  • Cryptocurrency Wallets: Scans for and steals data from popular wallets including Atomic, Exodus, Electrum, and Guarda. Private keys and seed phrases are prioritized for transfer to attacker-controlled wallets.

  • Additional Targets: Harvests files from Desktop, Documents, and Downloads folders, clipboard content (often crypto addresses), and screenshots of the infected system. It also clips cryptocurrency addresses from the clipboard, replacing them with attacker-owned ones during transactions.

Communication with command-and-control (C2) servers occurs over HTTPS, with exfiltrated data packaged into ZIP archives and uploaded. Notably, MIMICRAT integrates Telegram bots for C2, allowing operators real-time control and data retrieval. This setup enhances operational security, as Telegram’s encryption shields attacker communications.

The malware’s persistence is achieved through registry modifications and scheduled tasks, ensuring survival across reboots. Self-deletion mechanisms clean up traces post-exfiltration, complicating forensic analysis.

Technical Indicators and Evasion Tactics

CYFIRMA detailed several indicators of compromise (IoCs) to aid detection:

  • Domains and IPs: Fake Cloudflare pages hosted on domains like clickfix[.]top, cloudflare-check[.]live, and IPs such as 103.212.56[.]170.

  • Payload Hashes: SHA256 examples include 0f0e8a4d2b1c9f5e7a3d6b8c4e2f1a9d0b3e5f7c8a1d4e6b2f0c9a8d7e5b3f1 (obfuscated JS) and primary MIMICRAT executable at e8f4a2c6b9d1e3f5a7c0b2d4e6f8a1c3e5b7d9f2a4c6e8b0d2f4a6c8e1b3d5f7.

  • User-Agent Strings: Spoofed strings like “Mozilla/5.0 (compatible; Cloudflare-Check/1.0)” in requests.

Evasion is multilayered: JavaScript employs base64 encoding, hexadecimal obfuscation, and string concatenation to thwart static analysis. PowerShell and VBScript snippets handle downloads, while AMSI (Antimalware Scan Interface) bypasses ensure smooth execution in modern Windows environments. The campaign avoids sandbox detection by checking for virtual machine artifacts and mouse movement.

Geographic Spread and Attribution

Initial infections concentrated in Indonesia, Vietnam, and Thailand, correlating with regional phishing surges. However, infrastructure overlaps with prior campaigns suggest ties to Southeast Asian threat actors, potentially leveraging underground marketplaces for distribution. Attackers monetize stolen data via dark web sales or direct crypto theft.

Mitigation Strategies for Organizations and Users

Defending against ClickFix requires a multi-layered approach:

  • User Education: Train employees to verify URLs and avoid clicking suspicious “verification” prompts. Legitimate Cloudflare checks never require manual intervention beyond waiting.

  • Technical Controls: Deploy endpoint detection and response (EDR) tools with behavioral analysis. Block known IoCs at the network level using firewalls and DNS sinks. Enable browser protections like Enhanced Tracking Protection and disable JavaScript on untrusted sites where feasible.

  • Patch Management: Ensure Windows and browsers are fully updated to counter common exploits. Implement application whitelisting to restrict unsigned executables.

  • Monitoring: Watch for anomalous processes, unexpected Dropbox traffic, or Telegram API calls. Tools like Sysmon provide visibility into injection attempts.

Vigilance remains critical as campaigns evolve. Regular security audits and threat intelligence feeds, such as those from CYFIRMA, enable proactive hunting.

This campaign underscores the persistence of social engineering in malware delivery, exploiting trust in established brands like Cloudflare. As attackers refine their tactics, staying ahead demands continuous adaptation.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.