2 min read

Sandworm turns to Clickfix in Ukraine attacks

Ukraine’s CERT says Sandworm is using Clickfix fake CAPTCHAs to infect devices, marking a shift in a tactic mostly tied to cybercrime.

Image: Ars Technica

Sandworm, one of Russia’s most capable state-backed hacking groups, is now using Clickfix to breach devices at sensitive organizations in Ukraine, according to a warning from the country’s CERT.

The technique has mostly been associated with financially motivated cybercriminals over the past year. In a typical Clickfix attack, an attacker-controlled website shows a fake CAPTCHA and tells the visitor to copy a block of text into a terminal. That text actually contains malicious commands, which can install malware or steal data once executed.

Ukraine’s CERT said Wednesday that Sandworm—an advanced unit within the GRU, Russia’s military intelligence service—began using the method in the spring, and that the campaign continued through the summer. The activity led to the network compromise of at least one organization, after a connected device was found infected with FreakyPoll, one of Sandworm’s custom malware tools.

Recommended reading

One in six PCs still run Windows 10

Authorities identified 10 compromised websites serving a PowerShell command through the fake CAPTCHA prompt. The lure claimed the step was needed to verify that a real human was using the keyboard. Once run, the script could drop malicious Visual Basic scripts and other payloads that installed additional Sandworm malware.

According to the advisory, the first stage often involved a reconnaissance tool to profile the infected machine. Systems considered more valuable were then given follow-on malware to establish a backdoor.

“The command, as an example, could be intended to load and save a VBS file in the Startup directory. One of the variants of such a program was called GHETTOVIBE. At the next stage, in order to determine the importance of the cyberattack object, the SCOUTCURL software tool can be loaded onto the attacked computer, which is a PowerShell script that performs basic reconnaissance by collecting and exfiltrating information about the computer: basic characteristics, programs, files, Internet browser data, etc.”

Ukraine CERT advisory, translated

The named malware in the campaign includes GHETTOVIBE, SCOUTCURL, and FreakyPoll—a sign that a social-engineering trick popular with cybercriminals has now been adopted by one of Russia’s most elite espionage and sabotage teams.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Ars Technica

// Keep reading