ReliaQuest’s Threat Research Team has discovered a new execution technique within the ClearFake campaign that tricks users into manually copying and pasting malicious PowerShell code. This method is designed to evade traditional security detections by leveraging social engineering techniques to bypass technical controls. Upon execution, the PowerShell code clears the DNS cache, displays a message box, downloads additional malicious code, and installs the LummaC2 malware.
ClearFake, a JavaScript framework, typically uses drive-by downloads and fake browser update prompts to distribute malware. However, this new campaign involves compromised websites that display fake browser error messages, instructing users to manually install a root certificate. The malicious PowerShell code is obfuscated using base64 encoding and, when executed, bypasses typical detection mechanisms by running under the explorer.exe process without suspicious parent–child process relationships.
This technique’s reliance on user action reduces its chances of widespread success but increases the severity of potential consequences due to the manual execution bypassing many security controls. ReliaQuest advises organizations to block identified IoCs, restrict PowerShell access to necessary users, and educate employees on the risks of executing code from untrusted sources. Further, implementing strict application control policies, enhancing user awareness, regularly updating and patching systems, and integrating endpoint security tools with AMSI can help mitigate this threat.
Reference:
