From Fake Amazon Security Alert to HarborWatch Agent: ClickFix Delivery of a Custom Monitoring RAT
A recent phishing campaign impersonates Amazon security alerts to deliver a custom remote access trojan (RAT) dubbed HarborWatch Agent. The attack leverages the ClickFix technique, using a fake CAPTCHA page to socially engineer victims into manually executing a malicious PowerShell command via the Windows Run dialog. Once executed, the script downloads the RAT, which collects system information and communicates with a C2 infrastructure managed via a panel called Harbor Sentinel.
- domainamazonalert[.]xyzDomain hosting the secondary PowerShell payload.
- domainamazonattention[.]comDomain hosting the fake CAPTCHA verification page.
- domainsecurity[.]amazonassist[.]xyzSpoofed sender domain used in the initial phishing email.
- domainzoomupdate[.]b-cdn[.]netDomain hosting the HarborWatch Agent executable.
- ip172[.]67[.]189[.]76Stage 2 Payload IP.
- ip172[.]67[.]190[.]89Stage 1 Infection URL IP.
- ip185[.]193[.]127[.]44Command and Control (C2) server IP for HarborWatch Agent.
- md509c121225fe254676a27c21943506714code.txt
- md533760b2aa86deea5805e647197c34ef5mysql.exe (HarborWatch Agent)
- md59abebe5a34eefb80db12bf8d51bfe7f7Clipboard.ps1
- sha2563a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898HarborWatch Agent executable (mysql.exe).
- sha256
- sha256
- urlhxxp://185[.]193[.]127[.]44Command and Control (C2) server URL.
- urlhxxps://amazonalert[.]xyz/download/code[.]txtStage 2 payload URL hosting the secondary PowerShell script.
- urlhxxps://amazonattention[.]com/verifyStage 1 ClickFix fake CAPTCHA verification page.
- urlhxxps://zoomupdate[.]b-cdn[.]net/mysql[.]exeDownload URL for the HarborWatch Agent executable.
Detection / HunterGoogle
What Happened
Cybercriminals are sending fake Amazon security emails claiming the recipient's account is locked. When users click the link, they are taken to a fake security check page that tricks them into copying and pasting a hidden, malicious command into their computer. This command secretly installs a custom monitoring tool called HarborWatch Agent, which steals system information and gives the attackers remote access. Users should be wary of any website asking them to copy and paste commands into their computer's Run dialog. Organizations should ensure their security tools can detect unusual PowerShell activity and block known malicious websites.
Key Takeaways
- Threat actors are using fake Amazon security alerts to trick users into self-infecting via the ClickFix technique.
- The attack uses a fake CAPTCHA page that instructs users to paste a malicious PowerShell command into the Windows Run dialog.
- The PowerShell command downloads and executes a custom RAT named HarborWatch Agent, disguised as mysql.exe.
- HarborWatch Agent requires a specific command-line argument (--pass=JHSgfsa2652) to execute, likely to hinder automated analysis.
- The malware communicates with a C2 server featuring a Chinese-language admin panel named Harbor Sentinel.
Affected Systems
- Windows OS
Attack Chain
The attack begins with a phishing email impersonating Amazon security, prompting the user to verify their account. Clicking the link redirects the victim to a fake CAPTCHA page that uses the ClickFix technique, instructing them to open the Windows Run dialog and paste a copied command. This command executes a hidden PowerShell script that decodes a base64 payload, which in turn downloads a secondary script from a remote server. The secondary script downloads the HarborWatch Agent (named mysql.exe) to the Temp folder and executes it with a specific password argument. Once running, the agent collects system information and establishes communication with a C2 server managed via the Harbor Sentinel panel.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines behavioral indicators and network IOCs suitable for custom rule creation.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should easily capture the execution of PowerShell with hidden window styles, base64 decoding, and the subsequent dropping and execution of an unknown binary (mysql.exe) with specific command-line arguments. Network Visibility: Medium — Network monitoring can detect connections to the known C2 IP and the specific API endpoints (/api/agent/tasks/, /api/heartbeat), though the traffic may blend with normal web requests if not inspected. Detection Difficulty: Moderate — While the initial execution relies on user interaction (ClickFix), the subsequent PowerShell commands and process executions are highly anomalous and should trigger standard behavioral alerts.
Required Log Sources
- Process Creation (Event ID 4688)
- PowerShell Operational Logs (Event ID 4104)
- Network Connection Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for PowerShell executions containing '-nop -w hidden' combined with base64 decoding commands, especially if spawned shortly after web browser activity. | Process Creation, PowerShell Script Block Logging | Execution | Low |
| Consider hunting for processes named 'mysql.exe' executing from the AppData\Local\Temp directory, particularly with unusual command-line arguments like '--pass='. | Process Creation | Execution | Low |
Control Gaps
- Email gateways may miss the initial phishing link if the lookalike domain is newly registered and uncategorized.
- Standard AV might not flag the initial clipboard payload since it relies on manual user execution via the Run dialog.
Key Behavioral Indicators
- PowerShell executing with '-nop -w hidden'
- Execution of 'mysql.exe' from the Temp directory
- Network connections to API endpoints like '/api/agent/tasks/claim'
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified IP addresses and domains at the perimeter firewall or web proxy.
- Evaluate whether to search endpoint telemetry for the execution of 'mysql.exe' from the Temp directory or the specific PowerShell command fragments.
Infrastructure Hardening
- If supported by your environment, consider restricting the execution of PowerShell scripts from standard users.
- Evaluate implementing application control policies to prevent the execution of unapproved binaries from the AppData\Local\Temp directory.
User Protection
- Consider deploying endpoint protection rules that flag or block hidden PowerShell executions.
- If applicable, ensure web filtering is configured to block newly registered or uncategorized domains.
Security Awareness
- Consider updating security awareness training to educate users on the 'ClickFix' technique, emphasizing that legitimate services will never ask users to copy and paste commands into the Windows Run dialog.
- Evaluate reminding employees to scrutinize sender email addresses, even if the email branding appears legitimate.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1204.001 - User Execution: Malicious Link
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1140 - Deobfuscate/Decode Files or Information
- T1105 - Ingress Tool Transfer
- T1071.001 - Application Layer Protocol: Web Protocols
- T1082 - System Information Discovery
Additional IOCs
- Ips:
172[.]67[.]190[.]89- Stage 1 Infection URL IP.172[.]67[.]189[.]76- Stage 2 Payload IP.
- Domains:
amazonattention[.]com- Domain hosting the fake CAPTCHA verification page.amazonalert[.]xyz- Domain hosting the secondary PowerShell payload.zoomupdate[.]b-cdn[.]net- Domain hosting the HarborWatch Agent executable.security[.]amazonassist[.]xyz- Spoofed sender domain used in the initial phishing email.
- Urls:
hxxp://185[.]193[.]127[.]44- Command and Control (C2) server URL.
- File Hashes:
5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c(SHA256) - Clipboard.ps1cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5(SHA256) - code.txt9abebe5a34eefb80db12bf8d51bfe7f7(MD5) - Clipboard.ps109c121225fe254676a27c21943506714(MD5) - code.txt33760b2aa86deea5805e647197c34ef5(MD5) - mysql.exe (HarborWatch Agent)
- File Paths:
App Data\Local\Temp\mysql.exe- Path where the HarborWatch Agent is dropped and executed.
- Command Lines:
- Purpose: Executes hidden PowerShell to decode and run a base64-encoded payload from the clipboard. | Tools:
powershell.exe| Stage: Execution |powershell -nop -w hidden -c - Purpose: Executes the downloaded HarborWatch Agent with a specific password argument to bypass analysis. | Tools:
powershell.exe,mysql.exe| Stage: Execution |Start-Process -FilePath <path> -ArgumentList
- Purpose: Executes hidden PowerShell to decode and run a base64-encoded payload from the clipboard. | Tools:
- Other:
[email protected]- Spoofed sender email address.
