Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.
Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.
“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today.
The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads –
- UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
- UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT
The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.
The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3.
Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.
“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.”
Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.
Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.
Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine.
“To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said. “Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.”
USB Infection Drops XMRig Miner
The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.
“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said. “The low cost and ability to bypass network security make this technique a compelling option for attackers.”
The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection –
- DIRTYBULK, a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL
- CUTFAIL, a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC
- HIGHREPS, a downloader that retrieves additional files to ensure persistence of PUMPBENCH
- PUMPBENCH, a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig
- XMRig, an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin
“PUMPBENCH spreads by infecting USB drives,” Mandiant said. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.”
