Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework
ErrTraffic is a Malware-as-a-Service framework that compromises WordPress sites and uses malvertising to deliver ClickFix social engineering lures. It leverages EtherHiding via Polygon smart contracts to dynamically resolve C2 infrastructure and distribute infostealers, RATs, and loaders.
- cve
- domainantigravity[.]studyMalicious domain impersonating Google Antigravity to deliver DanaBot via ClickFix lures.
- domainchatgpt-web[.]vipMalicious domain impersonating ChatGPT to deliver HijackLoader via ClickFix lures.
- domaindefi-xstocks[.]vipMalicious domain redirecting to the ChatGPT lure site.
- domainllc-image-ico[.]clickErrTraffic C2 domain used in the 'Beer' cluster to serve the malicious CSS/JS payload.
- domainwebanalytics-cdn[.]sbsC2 domain used for exfiltrating cookies from compromised WordPress sites.
- filenamesession-manager.phpMalicious WordPress MU-Plugin acting as the primary backdoor for the Analytics cluster.
- ip172[.]59[.]242[.]93Attacker residential IP used to deploy the WordPress backdoor.
- ip68[.]60[.]174[.]238Attacker residential IP used to deploy the WordPress backdoor.
- ip96[.]178[.]187[.]175Attacker residential IP used for initial WordPress administrative access and reconnaissance.
- ip96[.]181[.]156[.]219Attacker residential IP used for initial WordPress administrative access.
- urlhxxps://llc-image-ico[.]click/api/css[.]js?b=45fcb62d&r=731542Endpoint used to fetch the script embedding the ClickFix lure.
Detection / HunterGoogle
What Happened
Cybercriminals are using a tool called ErrTraffic to trick people into downloading malicious software. They hack into legitimate WordPress websites or create fake sites that look like popular AI tools, then display fake error messages (like a fake Windows blue screen or a browser update prompt) that ask the user to copy and paste a command. If the user follows the instructions, their computer gets infected with software designed to steal passwords and sensitive information. Website administrators should secure their WordPress accounts with strong passwords and monitor for unauthorized plugins, while users should never copy and paste commands from random pop-up messages.
Key Takeaways
- ErrTraffic is a growing Malware-as-a-Service (MaaS) framework utilizing the ClickFix social engineering technique to distribute various malware families.
- The framework employs EtherHiding, using Polygon blockchain smart contracts as Dead Drop Resolvers (DDR) to conceal its C2 infrastructure.
- Two distinct clusters, 'Analytics' and 'Beer', were identified, differing in their C2 infrastructure, injection methods, and payloads.
- Attackers compromise WordPress sites using harvested credentials and deploy sophisticated PHP backdoors (e.g., MU-Plugins) to inject the ErrTraffic framework.
- Recent campaigns also leverage malvertising to direct victims to attacker-controlled sites impersonating AI platforms like Google Antigravity and ChatGPT.
Affected Systems
- WordPress CMS
- Windows OS
- macOS
Vulnerabilities (CVEs)
- CVE-2020-25213
Attack Chain
Attackers gain initial access to WordPress sites using stolen credentials or credential stuffing. They deploy PHP backdoors, such as a malicious MU-Plugin, to establish persistence and webshell access. The backdoor injects the ErrTraffic JavaScript framework into web pages, which uses EtherHiding (querying Polygon smart contracts) to resolve its C2 infrastructure. When a victim visits the site, they are presented with a ClickFix social engineering lure that tricks them into copying and executing an obfuscated PowerShell command, ultimately downloading and executing malware like Vidar or DanaBot.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: Yes
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Sekoia-IO/Community GitHub, Sigma
The article provides a Sigma rule targeting the specific XOR decryption pattern in PowerShell ScriptBlockText logs, and mentions that YARA rules are available in their community GitHub repository.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions with PowerShell ScriptBlock logging (Event ID 4104) enabled can capture the obfuscated PowerShell commands executed by the victim. Network Visibility: Medium — Network monitoring can detect the initial queries to blockchain RPC endpoints followed by connections to suspicious TLDs, though C2 traffic in the 'Beer' cluster is RC4 encrypted. Detection Difficulty: Moderate — While the PowerShell execution is noisy, the use of residential proxies for WP administration and blockchain for C2 resolution helps attackers blend in with legitimate traffic.
Required Log Sources
- Windows Event Log (Event ID 4104 - PowerShell Script Block Logging)
- Web Server Access Logs
- DNS Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for PowerShell execution events containing specific comment patterns like '<# Code Verification:' or '<# <Browser Update' combined with '-bxor' operations. | PowerShell ScriptBlockText (Event ID 4104) | Execution | Low |
| If you have visibility into web server access logs, consider hunting for repeated POST requests to the WordPress root directory containing the parameter 'wp_debug_session=' and 'mode=php'. | Web Server Access Logs | Command and Control | Low |
| Consider hunting for network connections to public blockchain RPC endpoints (e.g., Polygon, Quicknode) immediately followed by PowerShell process creation. | Network Logs, Process Creation Logs | Command and Control | Medium |
Control Gaps
- Lack of MFA on WordPress administrator accounts
- Disabled or unmonitored PowerShell ScriptBlock logging
Key Behavioral Indicators
- PowerShell commands initiated from clipboard execution
- Unexpected creation of MU-Plugins in WordPress (e.g., session-manager.php)
- Web pages loading external JavaScript from suspicious TLDs like .beer or .sbs
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If applicable, audit WordPress instances for unauthorized administrator accounts or unrecognized MU-Plugins (e.g., session-manager.php).
- Consider resetting credentials for all WordPress administrator accounts, especially those potentially exposed in infostealer logs.
Infrastructure Hardening
- Evaluate whether multi-factor authentication (MFA) can be enforced for all WordPress administrative access.
- Consider implementing file integrity monitoring (FIM) on critical web server directories, such as wp-content/mu-plugins/ and active theme folders.
- If supported by your web application firewall (WAF), consider blocking access to the WordPress login portal from known residential proxy networks if not required.
User Protection
- If your EDR supports it, ensure PowerShell ScriptBlock logging is enabled and centrally collected.
- Consider implementing web filtering to block access to newly registered domains or unusual TLDs (e.g., .beer, .sbs) often used by this framework.
Security Awareness
- Consider updating security awareness training to warn users about 'ClickFix' social engineering tactics, specifically fake browser updates or BSOD screens asking them to copy and paste commands.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1505.003 - Server Software Component: Web Shell
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1568 - Dynamic Resolution
- T1132.001 - Data Encoding: Standard Encoding
- T1056.001 - Input Capture: Keylogging
Additional IOCs
- Ips:
96[.]181[.]156[.]219- Attacker residential IP used for initial WordPress administrative access.68[.]60[.]174[.]238- Attacker residential IP used to deploy the WordPress backdoor.
- Domains:
defi-xstocks[.]vip- Malicious domain redirecting to the ChatGPT lure site.
- Urls:
hxxps://llc-image-ico[.]click/api/css.js?b=45fcb62d&r=731542- Endpoint used to fetch the script embedding the ClickFix lure.
- File Paths:
wp-content/mu-plugins/session-manager.php- Path where the malicious MU-Plugin backdoor is dropped on compromised WordPress sites.
- Command Lines:
- Purpose: ErrTraffic PowerShell payload execution using XOR decryption | Tools:
powershell.exe| Stage: Execution |<# Code Verification: 656560395146 #> - Purpose: Alternative ErrTraffic PowerShell payload execution pattern | Tools:
powershell.exe| Stage: Execution |<# <Browser Update 40F207E9> #>
- Purpose: ErrTraffic PowerShell payload execution using XOR decryption | Tools:
- Other:
0x08207B087F61d7e95E441E15fd6d40BEfd6eD308- Polygon Smart Contract used as DDR by the Analytics cluster.0xb36482fE794B895695914779Db3909b471D1aA43- Polygon Smart Contract used as DDR by the Bintang campaign.0x5b7F9C87773fFc7FAbEFcBeDFe3527BCE98C328- Polygon Smart Contract used as DDR for the Antigravity lure.0x53ffB04Ef13Bc4Cb12CE8Ac7b9532C254338dC3e- Polygon Smart Contract used as DDR for the ChatGPT lure.
