ClearFake Campaign | |
Type of Threat | Exploit |
Date of initial activity | 2023 |
Motivation | Data Theft |
Associated Malware | ClearFake |
Attack Vectors | Phsihing |
Type of information Stolen | Browser Data |
Targeted Systems | Windows |
Overview
ClearFake is a sophisticated piece of malware that leverages social engineering tactics to deceive users into downloading malicious software under the guise of a legitimate browser update. Discovered in July 2023, ClearFake operates through a fake update campaign that utilizes JavaScript to deliver its payload. The malware’s primary mechanism involves creating a deceptive “fake browser update” page, which is served to users through JavaScript iframes. These fake update prompts mimic legitimate browser notifications, tricking users into downloading what they believe is a necessary update for their web browser. In reality, this update package is a malicious file designed to infiltrate the victim’s system.
Upon execution, the ClearFake malware loader begins its nefarious activities by performing a range of malicious functions on the infected machine. The malware can vary in its delivery methods and file types, including executable files and application packages. Once installed, ClearFake employs various techniques to maintain persistence and evade detection. The malware is capable of stealing sensitive information, executing command-and-control (C2) operations, and downloading additional payloads to further compromise the victim’s system.
One notable evolution of ClearFake’s distribution method is the EtherHiding technique, which emerged as an advanced method for malware delivery. EtherHiding exploits the Binance SmartChain technology to embed malicious JavaScript into target websites. This technique leverages compromised WordPress plugins to inject malicious code into web pages, which then executes when users visit the affected site. By utilizing the Binance SmartChain, threat actors can conceal their initial payload and communicate with secondary domains that host further malicious JavaScript. This method enhances the malware’s ability to avoid detection and improve its distribution efficiency.
Targets
Individuals
How they operate
At its core, ClearFake uses JavaScript to execute its payload. This method of exploitation leverages vulnerabilities in client applications, such as web browsers, to run the malicious code. This approach is particularly effective because it operates within the context of trusted applications, making detection more challenging. The malware then employs techniques to establish persistence on the infected machine. One common method involves setting up scheduled tasks or jobs that ensure the malware remains active even after system reboots.
To evade detection, ClearFake incorporates several defense evasion strategies. It may use methods to remove or obfuscate indicators of compromise, such as deleting logs or using fileless techniques to avoid traditional detection methods. This stealthy behavior helps the malware remain undetected by security solutions that rely on static indicators. In addition to evasion, ClearFake is designed to exfiltrate sensitive information. It can steal credentials and other valuable data from the compromised system, which is then transmitted back to the threat actor over encrypted channels.
Communication between the malware and its command-and-control (C2) servers is another critical aspect of ClearFake’s operation. The malware uses application layer protocols, such as HTTP or HTTPS, to communicate with its C2 infrastructure. This allows it to receive commands, download additional payloads, and exfiltrate stolen data without raising suspicion. By leveraging these techniques, ClearFake effectively achieves its objectives while minimizing its visibility and impact on the target system.
MITRE Tactics and Techniques
Initial Access (T1071)
Phishing: ClearFake uses social engineering to trick users into downloading a fake browser update, which is a form of phishing. The malicious payload is delivered under the guise of a legitimate software update.
Execution (T1203)
Exploitation for Client Execution: The malware relies on JavaScript to execute its payload. This technique involves exploiting vulnerabilities in the client application (e.g., web browsers) to run the malicious code.
Persistence (T1053)
Scheduled Task/Job: ClearFake may use scheduled tasks or jobs to ensure that its malicious payload persists even after system reboots. This technique involves setting up tasks that periodically execute the malware.
Defense Evasion (T1070)
Indicator Removal on Host: To avoid detection, ClearFake might use techniques to remove or obfuscate indicators of compromise (IoCs) on the host system, such as deleting logs or using fileless methods.
Credential Access (T1071)
Exploitation of Credentials: Once installed, ClearFake can steal sensitive information, including credentials, from the infected system.
Command and Control (T1071)
Application Layer Protocol: ClearFake may use various application layer protocols (e.g., HTTP/HTTPS) to communicate with its command-and-control servers. This allows it to receive additional commands or download further malicious payloads.
Exfiltration (T1041)
Exfiltration Over Command and Control Channel: The malware may exfiltrate stolen data over the same command-and-control channel used for communication with the threat actor.