![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/12\/image_d32618.png\")
<\/a><\/figure>\nBased on previous evidence, criminals are tricking victims into visiting a lookalike site with the goal of downloading malware. In this case, the first part was true, but what unfolded next was new to us.<\/p>\n
When we clicked the Download button, we were redirected to a new page that appeared to be Cloudflare asking us to “verify you are human by completing the action below<\/em>“. This type of message is more and more common, as site owners try to prevent bots and other unwanted traffic.<\/p>\n But rather than having to solve a CAPTCHA, we saw another unexpected message: “Your browser does not support correct offline display of this document. Please follow the instructions below using the “Fix it” button<\/em>“.<\/p>\n This technique is actually not new in itself, and similar variants have been seen both via email spam and compromised websites before. It is sometimes referred to as ClearFake<\/a> or ClickFix<\/a>, and requires users to perform a manual action to execute a malicious PowerShell command.<\/p>\n Clicking on the ‘Fix It’ button copies that command into memory (the machine’s clipboard). Of course the user has no idea what it is, and may follow the instructions that ask to press the Windows and ‘R’ key to open the Run command dialog. CTRL+V pastes that command and Enter executes it.<\/p>\n Once the code runs, it will download a file from a remote domain (topsportracing[.]com<\/em>) within the script. We tested that payload in a sandbox and observed immediate fingerprinting:<\/p>\n The information is then sent back to a command and control server (peter-secrets-diana-yukon[.]trycloudflare[.]com<\/em>) abusing Cloudflare tunnels:<\/p>\n The use of Cloudflare tunnels by criminals was previously reported<\/a> by Proofpoint to deliver RATs. We weren’t able to observe a final payload but it is likely of a similar kind, perhaps an infostealer.<\/p>\n This was not an isolated campaign for Notepad, as we soon found additional sites with a similar lure. There was a Microsoft Teams landing page which used exactly the same trick, followed by others such as FileZilla, UltraViewer, CutePDF and Advanced IP Scanner.<\/p>\n Oddly, we saw a lure for a cruise booking site. We have no idea how that came to be, unless the criminals agree that everyone needs a vacation sometimes.<\/p>\n As mentioned previously, this type of social engineering attack is getting more and more popular. Researchers are tracking<\/a> several different families under different names such as the original SocGholish<\/a>.<\/p>\n Interestingly, the same domain (topsportracing[.]com<\/em>) we saw in the malicious PowerShell command for Notepad++ was also used recently in another campaign known as #KongTuke<\/a>:<\/p>\n As these schemes are being increasingly used by criminals, it is important to be aware of the processes involved. The Windows key and the letter ‘R’ pressed together open the Run dialog box. This is not something that most users will ever need to do, so always think carefully whenever you are instructed to perform this.<\/p>\n Malwarebytes customers are protected against this attack via our web protection engine for both the malicious sites and PowerShell command.<\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n Malicious domains<\/p>\n Servers used before Cloudflare proxy<\/p>\n Malware download URLs<\/p>\n Malware C2<\/p>\n<\/a><\/figure>\nPowerful technique<\/h2>\n
<\/a><\/figure>\nC:UsersAdminAppDataLocalTemp10.exe
C:WindowsSYSTEM32systeminfo.exe
C:Windowssystem32cmd.exe
C:Windowssystem32cmd.exe \/c \"wmic computersystem get manufacturer\"<\/pre>\n<\/a><\/figure>\nCampaign targets several brands<\/h2>\n
<\/a><\/figure>\n<\/a><\/figure>\n<\/a><\/figure>\n<\/a><\/figure>\n<\/a><\/figure>\n<\/a><\/figure>\n<\/a><\/figure>\nOverlap with other campaigns<\/h2>\n
<\/a><\/figure>\n<\/a><\/figure>\n
\nIndicators of Compromise<\/h2>\n
notepad-plus-plus.bonuscos[.]com
microsoft.team-chaats[.]com
cute-pdf[.]com
ultra-viewer[.]com
globalnetprotect[.]com
sunsetsailcruises[.]com
jam-softwere[.]com
advanceipscaner[.]com
filezila-project[.]com
vape-wholesale-usa[.]com<\/pre>\n185.106.94[.]190
89.31.143[.]90
94.156.177[.]6
141.8.192[.]93<\/pre>\nhxxp[:\/\/]topsportracing[.]com\/wpnot21
hxxp[:\/\/]topsportracing[.]com\/wp-s2
hxxp[:\/\/]topsportracing[.]com\/wp-s3
hxxp[:\/\/]topsportracing[.]com\/wp-25
hxxp[:\/\/]chessive[.]com\/10[.]exe
hxxp[:\/\/]212[.]34[.]130[.]110\/1[.]e<\/pre>\npeter-secrets-diana-yukon[.]trycloudflare[.]com<\/pre>\n