Newly emergent threat operation Mocha Manakin has leveraged the ClickFix attack technique to deploy the novel NodeInitRAT malware as part of an attack campaign initially observed earlier this year, reports Cyber Security News.
Intrusions, which commenced in January, involved the use of bogus "Verify" or "Fix" button that facilitate the copying and subsequent execution of malicious PowerShell commands, which have been continuously improved by Mocha Manakin, according to findings from Red Canary researchers. Running the PowerShell command results in the distribution of NodeInitRAT code that ensures persistence via Windows Registry run keys. Aside from utilizing GZIP compression and XOR encoding for increased stealth, NodeInitRAT also conducts reconnaissance, privilege escalation, and domain enumeration activities. Further analysis of Mocha Manakin activity showed similarities with Interlock ransomware, indicating that the former's ClickFix attack campaign could result in the delivery of ransomware payloads, researchers added.
Intrusions, which commenced in January, involved the use of bogus "Verify" or "Fix" button that facilitate the copying and subsequent execution of malicious PowerShell commands, which have been continuously improved by Mocha Manakin, according to findings from Red Canary researchers. Running the PowerShell command results in the distribution of NodeInitRAT code that ensures persistence via Windows Registry run keys. Aside from utilizing GZIP compression and XOR encoding for increased stealth, NodeInitRAT also conducts reconnaissance, privilege escalation, and domain enumeration activities. Further analysis of Mocha Manakin activity showed similarities with Interlock ransomware, indicating that the former's ClickFix attack campaign could result in the delivery of ransomware payloads, researchers added.
