New payloads: The DoubleDonut Loader was observed delivering a new variant of Vidar Stealer, a well-known infostealer, that uses a dead drop resolver technique to retrieve its command-and-control configuration and dynamic API resolution.In addition to Vidar, two previously undocumented infostealers have been observed, one written in .NET and one in C++. Rapid7 has named these new programs Impure Stealer and VodkaStealer and both use detection evasion techniques, including non-standard data encoding and symmetric encryption for command-and-control communications or sandbox environment detection using system and time-based checks.
ClickFix is a growing threat: In addition to new payloads, attackers are also evolving their ClickFix lures. A separate campaign identified by Microsoft’s Threat Intelligence team replaced the common Windows Run dialog (Win+R) with the Windows Terminal app (Win+X) for command execution.That campaign delivered the well-known Lumma Stealer and NetSupport RAT. A second payload involved a VBScript chain executed through MSBuild that used a technique known as etherhiding to download credential harvesting code.Security firm ESET estimated that ClickFix attacks surged 517% last year, with multiple variations dubbed CrashFix, ConsentFix, and PhantomCaptcha, each with different lures and delivery mechanisms.This basic social engineering tactic has proved so effective that even nation-state groups such as North Korea’s Lazarus group, Iran’s MuddyWater, and Russia’s APT28 have adopted it. In January, researchers from Sekoia reported that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024.WordPress site operators should ensure their admin login panels are not publicly exposed, since Rapid7 noted that nearly all sites compromised in the campaign it discovered had accessible admin pages.Rapid7 published indicators of compromise and YARA detection rules on its public GitHub repository.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4145123/clickfix-techniques-evolve-in-new-infostealer-campaigns.html
