CLEARFAKE Utilizes Drive-by Compromise to Deliver Information Stealers | Cyber Risk | Kroll

Once the request is made using the Ethers library, the victim’s browser initiates a POST request to the BSC using JSON RPC with the following response format with an encoded string at the end (truncated for ease of viewing):

"{"jsonrpc":"2.0","id":44,"result":"0x000000000000000[....]"

This response contains the actor-controlled domain address for the delivery of the payload that identifies and executes on the browser, displaying the correct language and fake browser iframe to the victim.

May 2024 Update – User Interaction to Launch PowerShell

In May 2024, Kroll observed a new method that CLEARFAKES uses to trick users into running malicious code on behalf of the threat actors, bypassing the initial download of files that would have previously conducted malicious activity. In these cases, Kroll observed the victim being redirected to a malicious webpage (in the format “{domain}/lander/powershell/index.html”, which is disguised as a browser error. Although it has a similar theme to previous fake update iframes, the decrease in quality of the lure is notable, where it does not appear to mimic any legitimate error that Chrome would produce.

The error itself suggests that there is something wrong with displaying the webpage. When the user clicks “How to fix,” an additional screen appears with instructions. This includes asking the user to click the copy button (copying the PowerShell code), open PowerShell from the start menu and run the code. Kroll noted that shortly after browsing to the webpage, the victim did open PowerShell from the Start Menu, correlating with these instructions and initializing the compromise.

Initial Browser Error Screen

Follow-On Browser Error Screen With Instructions to Victim

Kroll has observed several variations to the PowerShell code that is run by the victim, likely due to slight changes over time. In all cases, the long string copied by the user first spawns ipconfig.exe to flush the DNS on the local machine. It then changes the value of the clipboard to blank at $BRW (effectively deleting the copied code from the clipboard). The bulk of the executed code is held within the $CRT variable as a base64 encoded string.