ClickFix, Deno-based loader tapped by nascent LeakNet ransomware gang

Intrusions exploiting the ClickFix technique to inject an open-source Deno runtime-based malware loader into corporate systems have been launched by the relatively newly emergent LeakNet ransomware gang in a bid to expand its operations, BleepingComputer reports.

LeakNet leveraged a ClickFix lure with a counterfeit Cloudflare Turnstile verification page to facilitate the delivery of a Deno-based loader running an illicit JavaScript payload in memory as part of a bring your own runtime attack, according to findings from ReliaQuest. Execution of Deno triggers host-fingerprinting code and unique victim ID generation, as well as command-and-control server connection for second-stage payload retrieval. Researchers discovered that LeakNet then performs DLL sideloading and C2 beaconing, as well as credential identification, lateral movement, payload staging, and data theft following exploitation.

Organizations have been advised to be wary of potential LeakNet activity characterized by Deno execution outside development environments, atypical PsExec utilization, dubious browser execution of "misexec" and DLL sideloading, and unwarranted outbound traffic to S3.