Financially motivated threat group UNC5518 has harnessed fraudulent CAPTCHA pages to inject the CORNFLAKE.V3 backdoor as part of a ClickFix attack campaign, The Hacker News reports.
Illicit ads and search engine poisoning have been used to direct to a bogus CAPTCHA verification page, which then lures targets into executing a malicious PowerShell command that concludes with the deployment of CORNFLAKE.V3, findings from Mandiant showed. Aside from enabling system data gathering and exfiltration, CORNFLAKE.V3 also enables the execution of additional payloads, including a credential-harvesting script, the WINDYTWIST.SEA backdoor, and an Active Directory reconnaissance utility. Additional findings revealed that initial access obtained by UNC5518 has also been used by the UNC5774 and UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads. "To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible," said Mandiant researcher Marco Galli, which also urged the implementation of logging and monitoring systems, as well as simulation exercises to curb the threat.
Illicit ads and search engine poisoning have been used to direct to a bogus CAPTCHA verification page, which then lures targets into executing a malicious PowerShell command that concludes with the deployment of CORNFLAKE.V3, findings from Mandiant showed. Aside from enabling system data gathering and exfiltration, CORNFLAKE.V3 also enables the execution of additional payloads, including a credential-harvesting script, the WINDYTWIST.SEA backdoor, and an Active Directory reconnaissance utility. Additional findings revealed that initial access obtained by UNC5518 has also been used by the UNC5774 and UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads. "To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible," said Mandiant researcher Marco Galli, which also urged the implementation of logging and monitoring systems, as well as simulation exercises to curb the threat.
