- Threat actors are creating fake DocuSign and Gitcode websites
- The sites come with fake CAPTCHA and other scam mechanisms
- Victims are tricked into downloading a Trojan
Security researchers have found fake Gitcode and DocuSign websites distributing remote access trojan (RAT) malware using the infamous ClickFix method.
Experts from DomainTools Investigations (DTI) found “malicious multi-stage downloader Powershell scripts” hosted on spoofed websites inviting visitors to pull up the Windows Run terminal and run a script copied into their clipboard.
“Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines,” the researchers said in their report. These multiple stages and downloads are designed to evade detection, and help the campaign “be more resilient to security investigations and takedowns.”
SocGholish
They also said they don’t know exactly how victims end up on these websites. However, it is safe to assume that social engineering, email spam, and possibly malvertising, are a part of the methodology. In some cases, the fake websites also come with a fake CAPTCHA verification mechanism which, to be solved, requires the victims copy and paste a code into the Run program, effectively downloading the malware.
TDI could not confirm the identity of the attackers, but did stress it had observed a similar campaign late in 2024, which was attributed to SocGholish:
“Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scarlet Goldfinch, Storm-0408, and others,” the report concluded.
SocGholish, also known as FakeUpdates, is known for its fake browser and fake software update alerts. After compromising a website, the crooks would inject a popup, notifying the visitors that their browser, or operating system, needs “fixing” or “updating”.
This is the “original” ClickFix method, one that spun from the ancient “you have a virus” popup that imitated popular antivirus programs and delivered – viruses.
Via The Hacker News
Leave a comment