The infection flow begins with injected JavaScript on compromised websites, which retrieves malicious code from blockchain smart contracts, ultimately leading to the display of fake security challenges. The latest variant, discovered in December 2024, employs fake reCAPTCHA or Cloudflare Turnstile verification challenges to trick users into executing malicious PowerShell code. The ClickFix lures presented to users include either a fake Cloudflare Turnstile verification that claims to detect “unusual web traffic” or a fake reCAPTCHA challenge alongside a DNS error message. Originally designed to display fake browser update pages, the framework has undergone significant developments, incorporating more advanced deception techniques to deliver malware through compromised websites. The fake reCAPTCHA asks users to select images of cars, while the fake Cloudflare Turnstile presents users with a verification challenge, both ultimately leading to social engineering attempts. Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. When users visit a compromised website, they encounter an initial script that loads Web3 libraries and initiates communication with the Binance Smart Chain. The attack starts with a brief JavaScript code injected into compromised websites (mostly WordPress sites), which loads legitimate dependencies like web3, pako, and crypto-js. The malicious code is concealed within smart contracts, making analysis more difficult and removal nearly impossible due to the immutable nature of blockchain data.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Mar 2025 17:40:11 +0000