Now, even Russia's most elite hackers are using Clickfix to infect devices

Now, even Russia’s most elite hackers are using Clickfix to infect devices

现在,连俄罗斯最顶尖的黑客组织也开始使用 Clickfix 入侵设备

One of the Russian government’s most elite hacking groups has adopted an attack, known as Clickfix, to compromise devices belonging to sensitive organizations in Ukraine, the latter country’s CERT center is warning.

乌克兰计算机应急响应小组(CERT-UA)发出警告称,俄罗斯政府旗下最顶尖的黑客组织之一已采用一种名为“Clickfix”的攻击手段,旨在入侵乌克兰敏感机构的设备。

Clickfix has emerged as an effective attack technique that attackers, primarily financially motivated criminals, began using in the last year or so. Websites under the control of the attackers display a CAPTCHA that requires the visitor to copy a jumble of text and paste it into the terminal. The text contains scripts that, once entered, perform malicious actions, typically by installing malware or exfiltrating sensitive data.

Clickfix 已成为一种有效的攻击技术,主要由以经济利益为动机的犯罪分子在过去一年左右开始使用。攻击者控制的网站会显示一个验证码(CAPTCHA),要求访问者复制一段乱码并将其粘贴到终端中。这段文本中包含脚本,一旦输入,就会执行恶意操作,通常是安装恶意软件或窃取敏感数据。

Ukraine’s CERT said Wednesday that Sandworm, an advanced hacking unit inside the GRU, Russia’s military intelligence arm, is now using the technique.

乌克兰 CERT 周三表示,隶属于俄罗斯军事情报机构(GRU)的高级黑客组织“沙虫”(Sandworm)目前正在使用该技术。

“GhettoVibe,” “ScoutCurl,” and many more “GhettoVibe”、“ScoutCurl”及更多工具

The Clickfix attacks began in the spring and have continued through the summer. The campaign has resulted in the network compromise of at least one organization when a connected device was found to be infected by FreakyPoll, the name of one of Sandworm’s custom malware packages.

Clickfix 攻击始于春季,并持续整个夏季。该行动已导致至少一个组织的网络被入侵,其连接的设备被发现感染了“FreakyPoll”——这是沙虫定制的恶意软件程序包之一。

Ukrainian authorities discovered 10 compromised websites that displayed a PowerShell command as part of a fake CAPTCHA that said it had to be passed to ensure a real human was behind the visiting device’s keyboard. Once the user entered the script, it could install malicious Visual Basic scripts and other malicious wares that went on to install a variety of Sandworm malware.

乌克兰当局发现了 10 个被入侵的网站,这些网站在虚假验证码中显示了一段 PowerShell 命令,声称必须通过验证以确保访问者是真实人类。一旦用户输入该脚本,它便会安装恶意的 Visual Basic 脚本及其他恶意软件,进而安装各种沙虫恶意程序。

Typically, the first malware to run was a reconnaissance program that gathered information from the infected device. Machines deemed important would then receive follow-on malware that backdoored the system.

通常,首先运行的恶意软件是一个侦察程序,用于从受感染设备中收集信息。被认为重要的机器随后会收到后续恶意软件,从而在系统中植入后门。

“The command, as an example, could be intended to load and save a VBS file in the Startup directory,” a translated version of Tuesday’s advisory stated. “One of the variants of such a program was called GHETTOVIBE. At the next stage, in order to determine the importance of the cyberattack object, the SCOUTCURL software tool can be loaded onto the attacked computer, which is a PowerShell script that performs basic reconnaissance by collecting and exfiltrating information about the computer: basic characteristics, programs, files, Internet browser data, etc.”

周二发布的咨询报告译文指出:“例如,该命令可能旨在将 VBS 文件加载并保存到启动目录中。此类程序的一个变体被称为 GHETTOVIBE。在下一阶段,为了确定网络攻击对象的价值,攻击者会将 SCOUTCURL 软件工具加载到受攻击的计算机上。这是一个 PowerShell 脚本,通过收集并窃取计算机的基本特征、程序、文件、浏览器数据等信息来执行基础侦察。”

FreakyPoll is a Python script that backdoors devices. Other malware used in the campaign includes FluidLeech, which is disguised as an antivirus program, and LoadLoop.

FreakyPoll 是一个用于在设备中植入后门的 Python 脚本。该行动中使用的其他恶意软件还包括伪装成杀毒软件的 FluidLeech,以及 LoadLoop。

The advisory continued: During June-July, CERT-UA analyzed in detail the method of implementing ClickFix on more than ten compromised web resources. It was found that in addition to using the standard functionality of the Cloaking.House service, which allows you to filter traffic and, under certain conditions, display a third-party (remote) HTML page to the visitor, form an iframe or redirect to another resource, the attackers use a separate program code, SMARTAXE, which also allows you to change the content of the web page for the visitor (in particular, display a CAPTCHA), but by dynamically obtaining the domain name of the remote resource from the smart contract (call “eth_call”) using the contract address and function selector specified in the code.

报告继续写道:在 6 月至 7 月期间,CERT-UA 详细分析了在十多个被入侵的网络资源上实施 ClickFix 的方法。研究发现,除了使用 Cloaking.House 服务的标准功能(该服务允许过滤流量,并在特定条件下向访问者显示第三方远程 HTML 页面、形成 iframe 或重定向到其他资源)外,攻击者还使用了名为 SMARTAXE 的独立程序代码。该代码同样允许更改访问者看到的网页内容(特别是显示验证码),但它是通过代码中指定的合约地址和函数选择器,从智能合约中动态获取远程资源的域名(调用“eth_call”)。

CERT-UA cataloged several other attack techniques Sandworm has been using. One backdoors Android devices using lures designed to entice targets to install apps. Tracked as CowardDuck, it assembles potentially sensitive files and sends them to an attacker-controlled server.

CERT-UA 还整理了沙虫正在使用的其他几种攻击技术。其中一种通过诱导目标安装应用程序来入侵 Android 设备。该技术被追踪为“CowardDuck”,它会收集潜在的敏感文件并将其发送到攻击者控制的服务器。

Previously, Sandworm primarily infected devices by seeding Torrent trackers with links to pirated software that had been booby-trapped. In other cases, the hacking group engaged targets in extended conversations over Signal. Eventually, the attacker would entice the target to install malware disguised as security software.

此前,沙虫主要通过在 Torrent 追踪器中发布带有陷阱的盗版软件链接来感染设备。在其他情况下,该黑客组织会通过 Signal 与目标进行长时间的对话,最终诱导目标安装伪装成安全软件的恶意程序。

The advisory concluded by calling on website system administrators and hosting providers to monitor for web shells, unauthorized extensions, and other signs of compromise.

报告最后呼吁网站系统管理员和托管服务提供商加强监控,防范 Web Shell、未经授权的扩展程序以及其他入侵迹象。