Ransomware spread using HTA files in new ClickFix campaign

Epsilon Red ransomware is being spread via a unique ClickFix lure that convinces victims to download and execute HTML Application files.

The campaign impersonates widely used online services such as Twitch, Kick, Rumble, OnlyFans and the popular Discord Captcha Bot, CloudSEK reported recently.

Like other sites using the ClickFix social-engineering method, these impersonation sites display a fake CAPTCHA prompt, but rather than having the victim copy and paste malicious commands, this version directs them to go to a different page to complete “extra verification steps.”

These extra steps include pressing CTRL + S to save a file, renaming the file to verify.hta, opening the file with Microsoft HTML Application Host (mshta.exe), clicking “YES” if a popup appears and then entering a decoy “verification code” on the original CAPTCHA page. This last step is designed to trick the user into believing they have completed a legitimate verification process.

Meanwhile, completing these steps will launch embedded JavaScript within the HTA file that leverages ActiveX to execute shell commands. These commands silently download and execute the Epsilon Red ransomware while also displaying the decoy verification code to keep the victim none-the-wiser.

Epsilon Red is a ransomware variant first observed in 2021 that has a similar ransom note to that of the REvil ransomware group, but otherwise does not appear to be connected. Epsilon Red uses double extortion tactics, both encrypting files and threatening to leak stolen data if a ransom is not paid, according to Sophos.

CloudSEK recommended organizations block the legacy script execution vectors ActiveX (ActiveXObject) and Windows Script Host (WScript.Shell), which can be abused by threat actors to remotely execute malicious commands.

The cybersecurity firm also recommended leveraging threat intelligence to block known malicious IPs, such as those associated with Espilon Red, using endpoint detection and response (EDR) rules to flag suspicious child processes created from browsers and hidden executions, and training employees to recognize ClickFix and brand impersonation techniques.