• 2 min read
Sandworm turns to Clickfix in Ukraine attacks
Ukraine’s CERT says Russia’s Sandworm is now using Clickfix fake CAPTCHAs to infect devices and deploy malware including FreakyPoll.

Image: Ars Technica
Sandworm, one of the Russian government’s most elite hacking groups, is now using Clickfix to breach devices at sensitive organizations in Ukraine, according to a new warning from Ukraine’s CERT.
Clickfix has spread over the past year largely among financially motivated cybercriminals. The technique relies on attacker-controlled websites that show a fake CAPTCHA and tell visitors to copy a block of text into a terminal. That text actually contains malicious scripts that can install malware or steal sensitive data.
Ukraine’s CERT said Wednesday that Sandworm—an advanced unit inside the GRU, Russia’s military intelligence service—adopted the method in a campaign that began in the spring and continued through the summer. The operation led to the network compromise of at least one organization, after a connected device was found infected with FreakyPoll, one of Sandworm’s custom malware tools.

Recommended reading
OkoBot spreads 20 malware payloads for crypto theft
Authorities identified 10 compromised websites displaying a PowerShell command as part of a fake CAPTCHA claiming it was needed to verify a human user. Once entered, the command could install malicious Visual Basic scripts and other payloads that in turn deployed multiple Sandworm malware families.
Typically, the first stage was a reconnaissance tool that collected details from the infected machine. Systems judged to be valuable were then hit with follow-on malware designed to backdoor the device.
“The command, as an example, could be intended to load and save a VBS file in the Startup directory. One of the variants of such a program was called GHETTOVIBE. At the next stage, in order to determine the importance of the cyberattack object, the SCOUTCURL software tool can be loaded onto the attacked computer, which is a PowerShell script that performs basic reconnaissance by collecting and exfiltrating information about the computer: basic characteristics, programs, files, Internet browser data, etc.”
The advisory names GHETTOVIBE and SCOUTCURL among the tools used in the chain, a sign that a technique once associated mainly with cybercrime is now being folded into operations by one of Russia’s most capable state-backed groups.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Ars Technica


