Close Menu
Cybercrime and Ransomware

Cybercriminals Exploit ClickFix and Fake CAPTCHA Pages with CORNFLAKE.V3 Backdoor

Staff WriterBy No Comments4 Mins Read4 Views

Summary Points

  1. Threat actors are using a social engineering tactic called ClickFix, involving fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, leading to deployment of a backdoor called CORNFLAKE.V3, which supports various payloads and maintains persistence.
  2. The CORNFLAKE.V3 backdoor, an evolution of CORNFLAKE.V2, can execute payloads via HTTP, collect system info, and hide traffic through Cloudflare tunnels, with added features like host persistence and support for diverse payload types.
  3. Two hacking groups, UNC5774 and UNC4108, leverage UNC5518’s access to deploy different tools: one for deploying further payloads and the other for deploying RATs and reconnaissance utilities, often using fake CAPTCHA pages as initial infection vectors.
  4. An ongoing campaign uses infected USB drives to infect hosts with malware such as PUMPBENCH and XMRig, exploiting USB Autorun methods to deploy cryptocurrency miners like XMRig, highlighting the effectiveness of physical device-based attacks for initial access.

Underlying Problem

The story details a sophisticated cyberattack operation, where malicious actors exploit a social engineering tactic called ClickFix to deploy a versatile backdoor named CORNFLAKE.V3. This tactic involves lure users on compromised websites with fake CAPTCHA pages, prompting them to execute malicious PowerShell scripts through the Windows Run dialog. Once activated, the malware, which can send and receive payloads over HTTP and conceal traffic through Cloudflare, grants threat actors persistent access to infected systems. These backdoors are used by different hacking groups—for example, UNC5774 to deploy various payloads, and UNC4108 to execute tools like VOLTMARKER and NetSupport RAT, often leading to credential harvesting, reconnaissance, or further lateral movement within networks.

The report emphasizes that this attack is part of a broader trend where malware delivery is aided by infected USB drives, which install cryptominers like XMRig, alongside other malicious components such as DROPERS and backdoors. Attackers leverage physical devices and social engineering, to bypass defenses, resulting in compromised systems capable of cryptocurrency mining, reconnaissance, and remote control. The report, authored by cybersecurity firm Mandiant, aims to alert organizations to these evolving threats, urging measures like disabling the Windows Run dialog and enhancing monitoring systems to detect malicious activity early, ensuring the safety of digital infrastructures.

Security Implications

Cyber risks now encompass sophisticated social engineering tactics like ClickFix, which deceive users into executing malicious PowerShell scripts via fake CAPTCHA pages, often masked behind SEO-poisoned search results or malicious ads. These attacks leverage backdoors such as CORNFLAKE.V3, capable of executing payloads, collecting system data, and maintaining persistence through registry modifications, ultimately enabling threat actors—often motivated by financial gain or unknown aims—to deploy additional malware, gather credentials, or establish reverse shells. Concurrently, malware spread through infected USB drives, using deceptive shortcuts and scripts to install cryptocurrency miners like XMRig, facilitates lateral movement, persistence, and stealthy mining operations. These multifaceted attack vectors exemplify how social engineering combined with flexible malware deployment profoundly impacts organizational security, risking data theft, operational disruptions, and financial losses.

Possible Next Steps

Prompted to act swiftly, organizations must understand that rapid remediation of threats like the CORNFLAKE.V3 backdoor—often deployed through malicious ClickFix tactics and deceptive CAPTCHA pages—is crucial. Delay can lead to prolonged unauthorized access, data breaches, and costly disruptions, making timely response vital to safeguarding assets and maintaining trust.

Mitigation Strategies:

  • Immediate Isolation: Disconnect affected systems from the network to prevent further spread.
  • Threat Identification: Conduct thorough scans to detect CORNFLAKE.V3 presence and related anomalies.
  • Update Security Measures: Apply patches, update antivirus and anti-malware software, and reinforce firewall rules.
  • Eliminate Backdoors: Remove malicious files and scripts linked to the backdoor from infected systems.
  • User Education: Inform users about phishing tactics and suspicious links to prevent initial infection.
  • Strengthen CAPTCHA & Filtering: Implement advanced CAPTCHA validation and filter fake pages to block entry points.
  • Monitor Traffic: Increase monitoring for unusual or suspicious network activity that may indicate reinfection.
  • Review Log Files: Analyze logs for signs of unauthorized access or actions taken by the backdoor.
  • Collaborate with Experts: Engage cybersecurity specialists for advanced threat analysis and remediation.
  • Implement Preventive Measures: Develop and enforce security policies, including multi-factor authentication and regular system audits.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.