The ClearFake campaign has evolved significantly, particularly with its adoption of new tactics and technologies. As of May 2024, the attackers introduced a technique called ClickFix, which deceives victims into running malicious PowerShell commands disguised as solutions for non-existent technical issues. This new approach is part of a broader shift towards integrating Web3 technologies, where the attackers interact with Binance’s Smart Chain (BSC) contracts to load JavaScript code and encrypted payloads.
This technique helps the campaign evade traditional security measures, making detection and analysis more challenging.
ClearFake’s updated framework now incorporates a multi-stage attack process that starts when a victim visits a compromised website. The victim is then redirected to a phishing page that uses BSC-hosted JavaScript to fingerprint their system, followed by the decryption of ClickFix-related HTML code hosted on Cloudflare Pages. Once the victim runs the malicious PowerShell command, it triggers the deployment of a loader that installs malware, including Lumma Stealer.
This makes the campaign highly adaptive, as it leverages trusted platforms and advanced evasion methods to distribute its payload.
The use of smart contracts for system fingerprinting and payload delivery represents a significant technological shift in ClearFake’s attack methodology. By utilizing BSC, the attackers create a more resilient attack chain, which is harder to trace and stop. Additionally, the malicious infrastructure is regularly updated with new JavaScript and AES key combinations, making it difficult for security solutions to detect or block. These changes make the ClearFake campaign far more sophisticated and harder to defend against, particularly for unprotected systems.
ClearFake’s adoption of Web3 and blockchain-related techniques demonstrates a more advanced and persistent threat landscape. The introduction of ClickFix, alongside ongoing updates to the framework, shows that the attackers are keen on adapting their methods to bypass evolving security defenses. The campaign has grown to affect thousands of websites globally, with over 200,000 unique users potentially exposed by mid-2024. The shift to more dynamic attack vectors signals a troubling trend of increasingly sophisticated malware campaigns targeting both individuals and organizations.
