Table of contents
- ClearFake installation flow
- Malware delivered by ClearFake
- ClearFake C2 infrastructure and tracking opportunities
- ClearFake IoCs & Technical Details
- MITRE ATT&CK TTPs
- External references
ClearFake is another “fake updates” threat leveraging social engineering to trick the user into running a fake web browser update, as for SocGholish and FakeSG malware. By linking the “fake updates” lure to the watering hole technique, ClearFake operators target a wide range of users and conduct effective, scalable malware distribution campaigns.
From our telemetry and customers’ feedback, we observed an increasing number of communications to ClearFake infrastructure at the end of September 2023. At the same time, we identified several hundred websites injected by ClearFake.
Sekoia.io’s Threat & Detection Research (TDR) team investigated this emerging threat and shares in this blog post our analysis of ClearFake, the malware delivered, as well as tracking opportunities.
ClearFake installation flow
Here is an overview of the infection chains’ stages observed distributing commodity malware via ClearFake:
Figure 1. ClearFake installation flow, as of 30 September 2023 (Click on the image for a better view)
The first obfuscated payload is available in Annex 2.
- the iframe width and height to 100%;
- the z-index, an attribute specifying the stack order of the element, to 99999999999.
It then downloads the fake update interface. Here is an example of the second payload:
The third payload is an HTML page serving as a fake update interface and downloading the fake update content for the appropriate web browser. An example of the third payload is provided in Annex 2.
Here is an example of the source code of the fake update page on urlscan: https://urlscan.io/responses/a70b72efd8cd83f2b79cc9b9823112930e8ffa49edeb6bb5d2b1bbcabccefafb/
Fake update web page
The fake update page displays a realistic copy of the web browser download page for Chrome, Edge and Firefox, as shown in the following figure.
- Define the infamous module named FingerprintJS2 aiming at generating unique fingerprints for browsers based on various attributes and features. The module contains mathematical, fingerprint generation, utility, feature detection functions, as well as audio and font fingerprinting;
- Define functions related to handling cookies and extracting values from the URL parameters;
- Generate the visitor fingerprint and exfiltrate it to “hxxps://stats-best[.]site/fp.php”;
- Generate the download URL using “_lp”, “FPID”, “DownloadMouse”, “D” and “_token” parameters when the onclick event is executed.
Malware delivered by ClearFake
On 30 September 2023, Sekoia.io analysts ran the infection chain until retrieving the final payload downloaded by the victim.
For Microsoft Edge’s visitors, ClearFake delivered a malicious Windows Application Packaging Project (APPX file) from Dropbox.
The payload’s name “MlсrоsоftЕdgеSеtup.appx” is a masquerading of the legitimate Microsoft Edge installer and uses UTF-8 Cyrillic character for the characters “c”, “e”, “o” and “E”. Escaping unicode characters returns the following result:
|с||\u0441||Cyrillic Small Letter Es|
|e||\u0435||Cyrillic Small Letter Ie|
|о||\u043E||Cyrillic Small Letter O|
|Е||\u0415||Cyrillic Capital Letter Ie|
Cyrillic characters are invisible to the user. Sekoia.io assess with high confidence that the use of lookalike characters aims at avoiding static detection patterns based on the filename, without raising the potential victim’s suspicions.
It is interesting to note that SocGholish operators successfully leveraged this technique in 2022, as identified by Red Canary3. As this obfuscation method is not widely used, it is legitimate to ask ourselves if the SocGholish operators are also behind the new ClearFake malware.
Windows Apps are ZIP archive files that store executable files and other additional ones including XML (AppxManifest.xml and AppxBlockMap.xml), P7X (AppxSignature.p7x), as well as other optional files and repositories.
The APPX file delivered by ClearFake (MD5: a7900cdbb2912d76aa6329c5c41d8609) is signed by “STECH CONSULTANCY LIMITED” and contains in particular the following executables:
- (MD5: e89f448e8f41a590c51d34948bdc9c1e)
- (MD5: d113b3debc7e0a2da4369dd8d1dbad53)
Once executed, the Windows App reads the APPX manifest’s entry point containing the AiStubX64 executable and then executes it. The AiStubX64.exe process copies the KSPSService executable located in the Virtual File System (VFS) and then launches it. The payload (KSPSService.exe) deployed by the APPX file turned out to be a sample of HijackLoader. More technical information on this execution flow can be found in the Microsoft documentation4 and FINSIN’s analysis5.
The APPX file also contains a legitimate Microsoft Edge installer (MicrosoftEdgeUpdateSetup.exe MD5: 58d8d75b0ca5e316862ed81cdb2d0c67) and a PowerShell script (chrome.ps1 MD5: bfe16fc5d100757bd9dec4ef1aa42913), downloading a legitimate Edge installer from transfer[.]sh and executing it. Both codes are executed when the user runs the Windows App file. Sekoia.io analysts believe that installing the legitimate web browser alongside the malware once again avoids any suspicion from the victim.
As mentioned by SentinelOne6, APPX files are regularly used in malware campaigns to deploy the payload on the infected host, including BazarBackdoor, Emotet or Magniber ransomware. Although this technique is not new, Sekoia.io believes its use improves the rate of successful compromise by reducing the detection of the malicious payload’s execution.
Overview of HijackLoader
First observed in the wild in July 2023 by Zscaler ThreatLabz7, HijackLoader is a modular loader downloading and executing an obfuscated payload. It implements several evasion techniques, including code injection, use of syscalls, Windows API hashing and Heaven’s gate. In recent months, HijackLoader delivered numerous commodity malware, including Danabot, Lumma, Raccoon, Redline, Remcos, SystemBC and Vidar.
Once executed, the HijackLoader sample deployed through the APPX file downloads its obfuscated payload from the adversary infrastructure “hxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png”. The payload loaded by HijackLoader is a Raccoon sample communicating with its Command & Control (C2) server “128.140.101[.]125”.
In August 2023, Rapid7 observed8 that the new IDAT Loader malware was delivered by ClearFake. Based on the code similarities between IDAT Loader and HijackLoader, and given the overlap in the C2 infrastructures, Sekoia.io assess with high confidence that the same threat group operates both loaders.
ClearFake C2 infrastructure and tracking opportunities
ClearFake C2 communications
ClearFake stages use hardcoded URLs to download the next stage payloads from its C2 infrastructure. URL patterns have not changed since the threat first appeared in July 2023.
The URLs observed on 30 September 2023 are:
Basic heuristics based on the URL pattern stem from the ClearFake C2 communications. Sekoia.io used similar queries on urlscan:
Using urlscan and other URL scanning search engines, we retrieved 39 domain names:
Pivot on IP addresses
By pivoting on the IP addresses resolving the previous attacker-owned domains, we listed the following C2 servers that we assess with high confidence as being exclusively associated with the ClearFake infrastructure.
5 of them belong to the autonomous system (AS) “YACOLO-AS” (AS203493) located in Russia, and the last one belongs to the HETZNER AS (AS24940), favoured by numerous threat actors.
For all C2 servers, the common name (CN) of the TLS certificates exposed on port 443 is “921hapudyqwdvy.com”, allowing us to unveil the ClearFake infrastructure using scanning search engines, such as Shodan or Censys. Sekoia.io used a similar query on Shodan to identify and proactively track the ClearFake C2 infrastructure:
ClearFake operators run the Keitaro traffic distribution system (TDS) on C2 servers to protect their infrastructure that hosts malicious content and to select the targeted traffic.
TDR believes that ClearFake operators are likely to improve the stealth of malware C2 communication in the near future. They could also harden their C2 server configuration, to prevent their infrastructure from being so easily illuminated.
First seen in the wild in July 2023, ClearFake is another “fake updates” threat that quickly became widespread due to the effective lure targeting a wide audience, as well as the watering hole technique used to distribute the malware via numerous compromised websites.
Given the ongoing development and the use of cutting-edge techniques, such as the blockchain technology to store malicious payloads, this threat must be closely monitored by organisations, as the malware delivered by ClearFake can be used to gain access to the victim’s network.
The tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of SocGholish ones (tracked as TA569), in particular the use of watering holes, “fake updates” lures, Keitaro TDS, Dropbox file hosting service and the masquerading of filename with cyrillic characters. Considering this, Sekoia.io further assess ClearFake and SocGholish are possibly operated by the same threat group. Gathering additional evidence may help to confirm or refute this hypothesis.
To provide our customers with actionable intelligence, we will continue to monitor the evolution of ClearFake and other malware it delivers.
ClearFake IoCs & Technical Details
ClearFake C2 domains
ClearFake IP addresses
ClearFake infection chain
|hxxps://ojhggnfbcy62[.]com/ZgbN19Mx||Download URL of the first HTML payload|
|hxxps://ojhggnfbcy62[.]com/lander/firefox_1695214415/index.php||Download URL of the second HTML payload|
|hxxps://stats-best[.]site/fp.php||C2 URL for the fingerprinting data|
|hxxp://ojhggnfbcy62[.]com/?_lp=1&_token=uuid_1ubo22l1dqqlm_1ubo22l1dqqlm6518291d817043.55797095||Redirect URL to the HijackLoader payload (APPX)|
|hxxps://www.dropbox[.]com/e/scl/fi/6gtsp3qjf54lsec0piwvq/Ml-r-s-ft-dg-S-tup.appx?rlkey=hdm3apoi4n31v2rxruiosvtaa&dl=1||Download URL of the HijackLoader payload (APPX)|
|b583d86c4abc6d6ca57bde802b7e9d8143a249aed6a560a4626e79ae13f6209d||HijackLoader payload (APPX)|
|d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f||HijackLoader paylaod (EXE)|
|hxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png||HijackLoader hosting payload URL|
|ocmtancmi2c5t[.]live||HijackLoader hosting payload domain|
|128.140.101[.]125||Raccoon C2 server|
MITRE ATT&CK TTPs
|Resource Development||T1584 – Compromise Infrastructure|
|Initial Access||T1189 – Drive-by Compromise|
|Defense Evasion||T1027 – Obfuscated Files or Information|
|Defense Evasion||T1132.001 – Data Encoding: Standard Encoding|
|Defense Evasion||T1036 – Masquerading|
|Defense Evasion||T1140 – Deobfuscate/Decode Files or Information|
|Command and Control||T1041 – Exfiltration Over C2 Channel|
|Command and Control||T1071.001 – Application Layer Protocol: Web Protocols|
|Command and Control||T1105 – Ingress Tool Transfer|
The ClearFake scripts are available on Sekoia.io github repository.
The script decodes to:
The script decodes to:
Response of the Binance Smart Chain:
Annex 2 – Next stage payloads
The script decodes to:
Third next stage payload serving as a fake update interface and downloading the fake update content:
- [Randy McEoin’s blog] ClearFake Malware Analysis ↩︎
- [NPM] @fingerprintjs/fingerprintjs ↩︎
- [Red Canary] Threat – SocGholish ↩︎
- [Microsoft Community Hub] Deploying local application data in a Desktop Bridge app with Advanced Installer ↩︎
- [FINSIN] Infección en sitio web de e-commerce chileno ↩︎
- [SentinelOne] Inside Malicious Windows Apps for Malware Deployment ↩︎
- [Zscaler] Technical Analysis of HijackLoader ↩︎
- [Rapid7] Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers ↩︎
Thank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please contact us on tdr[at]sekoia.io.
Feel free to read other TDR analysis here :