Russian military hackers add ClickFix lures to Ukraine attacks
Ukraine’s CERT-UA says Sandworm used fake CAPTCHA prompts on compromised websites to infect targeted devices with malware.
By James Whitfield · Staff Writer
3 min read
A Russian military intelligence hacking unit has begun using ClickFix, a social-engineering technique that tricks people into running malicious commands, in attacks against Ukrainian targets, Ukraine’s computer emergency response team said. The warning matters because CERT-UA tied the method to Sandworm, a GRU-linked group known for advanced cyber operations.
CERT-UA said the campaign started in the spring and continued through the summer. Investigators found more than 10 compromised websites showing visitors a fake CAPTCHA that instructed them to copy and paste a PowerShell command, according to the agency.
ClickFix attacks rely on a victim’s action rather than a hidden software exploit. In this case, CERT-UA said the command presented as a human-verification step could install malicious scripts and other tools once pasted into a terminal.
Malware staged after fake CAPTCHA checks
CERT-UA said at least one organization’s network was compromised after a connected device was found infected with FreakyPoll, one of the malware tools the agency attributed to Sandworm. The initial payloads were used to assess infected machines before additional malware was deployed to systems the attackers considered valuable, according to the advisory.
One example cited by CERT-UA involved a Visual Basic script placed in a Startup directory. The agency identified a variant called GHETTOVIBE and said another tool, SCOUTCURL, performed basic reconnaissance by collecting and sending out details such as computer characteristics, installed programs, files and browser data.
CERT-UA described FreakyPoll as a Python-based backdoor. The agency also named FluidLeech, which it said was disguised as antivirus software, and LoadLoop as tools used in the operation.
The agency said the attackers used more than the standard features of a service called Cloaking.House, which can filter visitors and display outside pages, iframes or redirects under certain conditions. CERT-UA said Sandworm also used separate code called SMARTAXE to alter what a visitor saw on a web page, including the CAPTCHA, by obtaining a remote domain name through an Ethereum smart-contract call.
Other Sandworm methods cited
CERT-UA said Sandworm has also used Android malware tracked as CowardDuck. According to the advisory, that technique relies on lures that persuade targets to install apps, after which the malware gathers potentially sensitive files and sends them to a server controlled by the attackers.
The advisory also described earlier Sandworm infection methods. CERT-UA said the group had seeded torrent trackers with links to pirated software containing malware, and in other cases held extended Signal conversations with targets before encouraging them to install malware presented as security software.
CERT-UA urged website administrators and hosting providers to look for web shells, unauthorized extensions and other signs that sites have been compromised. The agency’s warning indicates that ClickFix, previously associated largely with financially motivated criminal activity, is now being used in a state-linked campaign against Ukrainian organizations.
This story draws on original reporting from Ars Technica.