Cybercriminals Exploit Fake Claude Code Install Pages to Deploy Fileless .NET Infostealer
In a sophisticated cyberattack, hackers are leveraging the growing popularity of AI coding tools to target developers and IT professionals. By creating counterfeit installation pages for Claude Code, a legitimate AI coding assistant, these cybercriminals deceive users into downloading malicious software that silently infiltrates their systems.
The Deceptive Strategy
The attackers employ a technique known as SEO poisoning to ensure their fraudulent Claude Code installation pages appear prominently in search engine results. Unsuspecting users searching for the tool are directed to these meticulously crafted fake pages, which closely mimic the official website’s design and content. This attention to detail reduces suspicion and increases the likelihood of users proceeding with the download.
Once on the counterfeit page, users are instructed to initiate the installation by opening the Windows Run dialog and entering a specific command. This command triggers the execution of a malicious MSHTA (Microsoft HTML Application) file, a method commonly referred to as ClickFix. This social engineering tactic disguises the execution of harmful commands as routine setup steps, making it challenging for users to recognize the threat.
The Multi-Stage Attack Chain
The attack unfolds through a complex, multi-stage process designed to evade detection:
1. Initial Execution: The MSHTA command retrieves a file masquerading as an MP3 audio file from a remote server. This file is a polyglot, meaning it contains both audio data and an embedded HTA script. While media players recognize it as a playable audio file, the MSHTA interpreter executes the hidden script, initiating the next stage of the attack.
2. Scheduled Task Creation: The HTA script registers a scheduled task using a COM object, which then launches a 32-bit PowerShell process. Targeting the 32-bit version of PowerShell is a deliberate tactic, as security monitoring tools often focus more on 64-bit processes, allowing the malicious activity to go unnoticed.
3. Payload Delivery: The PowerShell script downloads and executes a fileless .NET-based infostealer directly into memory. This method avoids writing files to disk, a common trigger for security alerts, thereby reducing the likelihood of detection.
4. Data Exfiltration: Once active, the infostealer harvests sensitive information, including browser-stored credentials, session tokens, and other personal data. This information is then transmitted to attacker-controlled servers, often located in regions with lax cybersecurity enforcement, complicating efforts to trace and mitigate the attack.
Implications for Victims
The consequences of falling victim to this attack are severe. Stolen credentials can lead to unauthorized access to personal accounts, financial loss, and identity theft. For developers and IT professionals, the risks extend further; compromised credentials can provide attackers with access to code repositories, cloud services, and internal systems, potentially resulting in widespread organizational breaches and data leaks.
The Role of MSHTA in the Attack
A critical component of this attack is the abuse of mshta.exe, a legitimate Microsoft Windows binary used to execute HTML applications. By leveraging this trusted system tool, attackers can execute malicious scripts without triggering standard security defenses. This technique, known as Living off the Land, involves using legitimate system utilities for malicious purposes, making detection and mitigation more challenging.
Broader Context and Trends
This campaign is part of a broader trend where cybercriminals exploit the growing trust in AI tools and platforms. As AI-assisted coding tools gain popularity among developers, they become attractive targets for attackers seeking to exploit their widespread adoption. Similar tactics have been observed in other campaigns, such as the use of fake Google Chrome installation pages to distribute Android malware and the creation of counterfeit web stores to steal sensitive information.
Protective Measures and Recommendations
To safeguard against such sophisticated attacks, users and organizations should adopt the following measures:
– Verify Sources: Always download software from official vendor websites or trusted sources. Be cautious of search engine results that lead to unfamiliar pages, especially when seeking popular tools.
– Monitor System Processes: Implement monitoring solutions that track the execution of system utilities like mshta.exe. Unusual activity involving these processes can be indicative of malicious behavior.
– Educate Users: Conduct regular training sessions to raise awareness about social engineering tactics and the importance of scrutinizing installation instructions and download sources.
– Implement Application Control Policies: Restrict the execution of scripts and applications from untrusted sources. Application whitelisting can prevent unauthorized software from running on systems.
– Regular Updates and Patching: Ensure that all software, including operating systems and applications, are up to date with the latest security patches to mitigate vulnerabilities that attackers might exploit.
Conclusion
The exploitation of fake Claude Code installation pages underscores the evolving tactics of cybercriminals who capitalize on the popularity of AI tools to execute sophisticated attacks. By understanding the methods employed in these campaigns and implementing robust security practices, users and organizations can better protect themselves against such threats.
