DriveSurge Uses ClickFix and Fake Update Drive-By Attacks at Scale

SOC Prime Team

DriveSurge Uses ClickFix and Fake Update Drive-By Attacks at Scale

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

DriveSurge is an emerging initial access broker that compromises legitimate websites and injects malicious JavaScript to funnel visitors through an open-source Traffic Distribution System known as zTDS. The actor then serves fake browser update pages or ClickFix-style prompts that deliver malware to macOS and Windows users through deceptive downloads or malicious PowerShell commands. Its infrastructure includes thousands of .icu domains registered through NiceNIC and hosted on bulletproof infrastructure. The campaign is broad in scope and targets users across multiple browsers and operating systems.

Investigation

Researchers identified eight distinct technical fingerprints tied to the operation, including characteristic JavaScript filenames such as t.js, t..js, and ext-b..js, along with recurring server traits such as nginx and specific JARM hashes. Infrastructure mapping relied on domain-searching, WHOIS email pivots, and analysis of compromised websites including jclforwarding.com. The team also extracted payload delivery URLs, command-and-control servers, and documented clipboard hijacking behavior aimed specifically at macOS victims.

Mitigation

Organizations should monitor for the documented JavaScript injection patterns, the presence of zTDS-related files such as jsrepo with the rnd parameter, and outbound connections to known bulletproof hosting IP addresses. Defenders should block suspicious .icu domains registered through NiceNIC that match the identified fingerprints and apply strict content security policies to internet-facing web assets. Endpoint protections should also be capable of detecting the Base64-encoded PowerShell and Bash command chains used in delivery.

Response

If DriveSurge activity is detected, affected web assets should be isolated immediately, malicious JavaScript removed, and any compromised domain registrations reviewed or revoked. The identified domains and IP addresses should be blocked at the network perimeter. Security teams should also perform forensic analysis on any systems that executed the malicious download commands and reset any exposed credentials. Relevant indicators should be shared with industry ISACs and trusted partners.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 classDef process fill:#ff9966 classDef operator fill:#ff9900 %% Nodes node_initial_access["Action – T1189 Drive-by Compromise Description: Compromise highu2011reputation website and inject malicious JavaScript. Result: Victim browsers load malicious code."] class node_initial_access action node_content_injection["Action – T1659 Content Injection Description: Injected scripts (t.js, extu2011b, jsrepo) load the zTDS trafficu2011distribution system. Scripts: t.js, extu2011b, jsrepo."] class node_content_injection action tool_ztds["Tool – Name: zTDS Traffic Distribution System Purpose: Serve malicious JavaScript to compromised browsers."] class tool_ztds tool malware_jsrepo["Malware – Name: jsrepo Role: Obfuscated loader script delivering payload URLs."] class malware_jsrepo malware node_obfuscation["Action – T1027.010 Command Obfuscation, T1027.007 Dynamic API Resolution, T1027.018 Invisible Unicode Description: JavaScript is base64u2011encoded, uses atob, concatenation and Unicode tricks to hide payload URLs."] class node_obfuscation action node_fake_updates["Action – T1554 Fake Browser/Software Updates Description: Victims see convincing update pages and download malicious binaries. Related: User Execution T1204.004."] class node_fake_updates action node_copy_paste["Action – T1204.004 Malicious Copy and Paste Description: User copies a command from the fake update page and pastes it into a terminal."] class node_copy_paste action node_clickfix["Action – T1684 ClickFix Social Engineering Description: Fake error prompts replace clipboard with base64u2011encoded command. Technique: Clipboard Hijacking T1115."] class node_clickfix action node_clipboard_hijack["Action – T1115 Clipboard Hijacking Description: Attacker overwrites clipboard to deliver malicious command."] class node_clipboard_hijack action node_browser_hijack["Action – T1185 Browser Session Hijacking Description: Compromised sites redirect visitors via zTDS to attackeru2011controlled domains."] class node_browser_hijack action node_payload_delivery["Action – T1133 External Remote Services, T1105 Ingress Tool Transfer Description: Scripts use curl/wget to download secondary macOS payloads from attacker servers."] class node_payload_delivery action tool_curl["Tool – Name: curl Purpose: Transfer files from attacker server."] class tool_curl tool tool_wget["Tool – Name: wget Purpose: Transfer files from attacker server."] class tool_wget tool process_download["Process – Name: download script Action: Executes curl/wget to fetch macOS binaries."] class process_download process node_c2["Action – T1102.002 Web Service Bidirectional Communication Description: Malware communicates with C2 using HTTPS and content injection for updates."] class node_c2 action node_ad_distribution["Action – T1596.004 Use of Advertising Distribution System Description: Malicious ads and CDN resources host and distribute payloads."] class node_ad_distribution action %% Connections node_initial_access –>|uses| node_content_injection node_content_injection –>|loads| tool_ztds node_content_injection –>|delivers| malware_jsrepo malware_jsrepo –>|performs| node_obfuscation node_obfuscation –>|enables| node_fake_updates node_fake_updates –>|triggers| node_copy_paste node_copy_paste –>|leads_to| node_clickfix node_clickfix –>|uses| node_clipboard_hijack node_clipboard_hijack –>|leads_to| node_browser_hijack node_browser_hijack –>|redirects_to| node_payload_delivery node_payload_delivery –>|uses| tool_curl node_payload_delivery –>|uses| tool_wget node_payload_delivery –>|delivers| process_download process_download –>|executes| node_c2 node_c2 –>|communicates_via| node_ad_distribution "

Attack Flow

Attack Narrative & Commands
1. Stage 1 – Deploy malicious payload:
  An attacker uploads a JavaScript file named t.js (or a hash‑based name) onto the compromised web server. The file contains a DriveSurge HTML‑smuggling snippet that silently fetches additional payloads.
2. Stage 2 – Victim request:
  A victim’s browser (simulated with curl) requests the malicious file, producing a log entry where the request URI matches the Sigma regex.
3. Stage 3 – Alert generation:
  The SIEM ingests the access log line, the Sigma rule evaluates the filename field, and the alert is raised.

Regression Test Script

#!/usr/bin/env bash
set -euo pipefail

# --- Variables -------------------------------------------------
WEB_ROOT="/var/www/html"
MALICIOUS_NAME="t.js"
MALICIOUS_PATH="${WEB_ROOT}/${MALICIOUS_NAME}"
MALICIOUS_CONTENT='console.log("DriveSurge payload executed");'

# --- Deploy malicious JavaScript --------------------------------
echo "${MALICIOUS_CONTENT}" | sudo tee "${MALICIOUS_PATH}" > /dev/null
sudo chown www-data:www-data "${MALICIOUS_PATH}"
sudo chmod 644 "${MALICIOUS_PATH}"

# --- Give Apache a moment to notice the new file ---------------
sleep 2

# --- Simulate victim request (generates telemetry) ------------
curl -s -o /dev/null "http://localhost/${MALICIOUS_NAME}"

# --- Optional: output the logged line for manual review -------
echo "=== Recent Apache log entry for verification ==="
sudo tail -n 5 /var/log/apache2/access.log | grep "${MALICIOUS_NAME}" || echo "Log entry not found"

Cleanup Commands

#!/usr/bin/env bash
set -euo pipefail

WEB_ROOT="/var/www/html"
MALICIOUS_NAME="t.js"
MALICIOUS_PATH="${WEB_ROOT}/${MALICIOUS_NAME}"

# Remove the malicious file
sudo rm -f "${MALICIOUS_PATH}"
echo "Cleaned up ${MALICIOUS_PATH}"

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free