Velvet Tempest uses ClickFix for DonutLoader and CastleRAT deployment

Ransomware threat actors known as Velvet Tempest are employing the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at MalBeacon observed these activities over a 12-day period in an emulated environment, as reported by Bleeping Computer.

Velvet Tempest, also identified as DEV-0504, has a history of five years as an affiliate for major ransomware strains including Ryuk, REvil, Conti, BlackMatter, BlackCat, LockBit, and RansomHub. The observed attack, targeting a replica of a U.S. non-profit organization with over 3,000 endpoints, began with a malvertising campaign leading to a ClickFix and CAPTCHA mix. Victims were tricked into pasting an obfuscated command into the Windows Run dialog, initiating nested command-line processes and using finger.exe to download initial malware loaders.

Subsequent stages involved PowerShell scripts to download further payloads, compile .NET components using csc.exe, and establish persistence with Python components. The operation culminated in the staging of DonutLoader and the retrieval of CastleRAT, a backdoor known for distributing various RATs and information stealers.

While Velvet Tempest is typically associated with double-extortion ransomware attacks, the Termite ransomware was not deployed in this observed intrusion. The adoption of the ClickFix technique by multiple ransomware gangs, including Interlock, highlights a growing trend in social engineering tactics to gain initial access to corporate networks, underscoring the need for enhanced user awareness and robust endpoint security measures.

Source: Bleeping Computer