Widespread ClickFix Campaign via Compromised WordPress Sites Delivers Windows and macOS Information Stealers

Legitimate WordPress websites are being abused to host malicious iframes or injected scripts that profile visitors based on the User-Agent to deliver OS-specific malware.

Analysis of multiple compromised WordPress websites indicates that:

• macOS users are targeted with Amnesia Stealer
• Windows users are compromised via a multi-stage HijackLoader using BNB Smart Chain based C2 to deploy a .NET information stealer.

Threat Analysis

Compromised WordPress websites are leveraged as an initial access vector, to lure visitors to attacker-controlled domains using the “ClickFix” social engineering technique.

Cegeka CSIRT discovered that the compromised websites are used to host malicious payloads that leverage content from the malicious domain testio[.]ecartdev[.]com. The attacker-controlled domain hosts a malicious script that profiles visitors based on the User-Agent and delivers a tailored ClickFix prompt that downloads Amnesia Stealer for macOS users and HijackLoader for Windows users.

The macOS ClickFix prompt initiates the Amnesia Stealer infection chain by downloading a malicious archive macos-hybrid-stealer.zip from the domain shlyapadulina[.]space. The archive contains the primary stealer components responsible for collecting and staging sensitive information such as browser credentials, files, notes and system data within a temporary directory, which is subsequently exfiltrated to an external IP address via HTTP POST requests.

The Windows ClickFix prompt initiates the HijackLoader infection chain by downloading and installing a malicious MSI file. The malware abuses legitimate signed applications through search order hijacking and in-memory .NET assembly execution. The execution chain results in a malicious .NET assembly being loaded and executed within the context of a digitally signed process ‘RadiantC64.exe’. During execution, the malware establishes outbound communications with BNB Smart Chain endpoints via Ethereum JSON-RPC requests, as well as with a malicious external IP address.

The diagram below shows a high-level overview of the infection chain involving the deployment of HijackLoader, while a comprehensive analysis is provided in the threat analysis report linked within this article.

Recommendations

Cegeka CSIRT encourages organizations to:

• Block the indicators of compromise (IOCs) through applicable security controls including firewalls, NIDS/NIPS, HIDS/HIPS, EDR/XDR, etc…
• Conduct threat hunting across their environments to identify any activity associated with the IOCs provided in the Threat Analysis report.
• Raise user awareness regarding ClickFix social engineering techniques, emphasizing the risks of executing commands prompted by untrusted websites.
• Regularly update WordPress core, themes and plugins to reduce the risk of compromise.
• Establish an internal Security Operation Center (SOC) / Cybersecurity Incident Response Team (CSIRT) or partner with a Managed Security Services Provider to ensure continuous threat detection and prompt incident response.

Threat Analysis Report

Please find the full Cegeka CSIRT threat analysis report which includes the observed indicators of compromise here:

Cegeka Modern SOC

Our Cegeka Modern SOC, staffed with experienced security professionals, is able to detect these types of attacks and adequately respond to them in a timely manner, minimizing or even fully preventing impact on your organization.