ClickFix Campaign Generated Via AI Delivers SmartRAT

SOC Prime Team

ClickFix Campaign Generated Via AI Delivers SmartRAT

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Threat actors are using AI-driven website builders to create persuasive phishing pages that mimic Brazilian banking brands. These pages rely on the ClickFix technique, using fake CAPTCHA checks and system recovery messages to convince victims to run malicious PowerShell commands. The result is delivery of SmartRAT, a PowerShell-based banking trojan built for remote access and theft of financial information.

Investigation

Zscaler ThreatLabz identified multiple typosquatting domains and analyzed the full infection chain, observing AI-generated code comments and scripts designed to resist inspection. The investigation also exposed a weakness in the AI-built command-and-control panel that made authentication bypass possible through client-side localStorage manipulation. Researchers further decoded the SmartRAT communication protocol and documented its use of AES-CBC encryption.

Mitigation

Organizations should deploy web filtering to block known typosquatting and malicious domains. Endpoint defenses should be configured to detect and restrict suspicious PowerShell activity and unauthorized scheduled task creation. User awareness efforts should also teach employees to recognize ClickFix-style social engineering, including fake blue screen, recovery, or CAPTCHA prompts.

Response

If SmartRAT activity is detected, isolate affected endpoints immediately to stop command-and-control traffic and limit further movement. Conduct forensic analysis to determine the persistence method, whether service-based or scheduled-task based, and search for related artifacts such as msedgeupdate.txt. Review web proxy logs for traffic to the identified infrastructure and initiate credential resets for any affected users.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef technique fill:#ccffcc %% Initial Access and Execution Phase action_phishing["Action – T1566 Phishing Threat actors use typosquatting domains and AI-generated websites to lure victims."] class action_phishing action action_clickfix["Action – T1204.004 User Execution: Malicious Copy and Paste Tricks users into pasting a malicious PowerShell command into the Windows Run box."] class action_clickfix action action_ingress["Action – T1105 Ingress Tool Transfer Downloads a stealthy dropper named st.txt from remote IP 64.95.13.238."] class action_ingress action tool_dropper["Tool – Name: st.txt Description: Stealthy dropper used to facilitate the delivery of the primary malware."] class tool_dropper tool %% Malware Execution and Persistence Phase malware_smartrat["Malware – Name: SmartRAT Description: Primary RAT used for surveillance and financial data theft."] class malware_smartrat malware action_user_exec_file["Action – T1204.002 User Execution: Malicious File Executes the primary SmartRAT malware."] class action_user_exec_file action action_gather_info["Action – T1592.001/002 Gather Victim Host Information Collects hardware, software, and OS details to generate a unique identity token."] class action_gather_info action action_persistence_service["Action – T1543.003 Create or Modify System Process: Windows Service Creates a Windows service named MicrosoftEdgeUpdateCore for persistence."] class action_persistence_service action action_persistence_registry["Action – Persistence via Registry Run Keys Uses registry run keys to maintain access."] class action_persistence_registry action action_priv_esc["Action – T1548 Privilege Escalation Prompts for UAC elevation to run the service with SYSTEM privileges."] class action_priv_esc action %% Command and Control and Exfiltration Phase action_c2["Action – T1071 Command and Control Utilizes raw TCP sockets on non-standard port 51888 for communication."] class action_c2 action action_exfiltrate["Action – T1041 Exfiltration Over C2 Channel Steals financial data through the established C2 connection."] class action_exfiltrate action %% Post-Exploitation and Evasion Phase action_video_capture["Action – T1125 Video Capture Performs screen streaming for surveillance."] class action_video_capture action action_input_tracking["Action – T1056 Input Tracking Uses keylogging to monitor user inputs."] class action_input_tracking action action_mfa_interception["Action – T1111 Multi-Factor Authentication Interception Uses branded fake overlays to steal MFA tokens."] class action_mfa_interception action action_masquerading["Action – T1036 Masquerading Uses decoy filenames like msedge.txt to evade detection."] class action_masquerading action action_file_deletion["Action – T1070.004 Indicator Removal: File Deletion Uses an uninstall command to reduce the forensic footprint."] class action_file_deletion action %% Connection Flow action_phishing –>|leads_to| action_clickfix action_clickfix –>|leads_to| action_ingress action_ingress –>|downloads| tool_dropper tool_dropper –>|executes| action_user_exec_file action_user_exec_file –>|launches| malware_smartrat malware_smartrat –>|performs| action_gather_info malware_smartrat –>|establishes| action_persistence_service malware_smartrat –>|establishes| action_persistence_registry malware_smartrat –>|attempts| action_priv_esc action_priv_esc –>|enables| action_c2 action_c2 –>|used_for| action_exfiltrate action_c2 –>|used_for| action_video_capture action_c2 –>|used_for| action_input_tracking action_c2 –>|used_for| action_mfa_interception malware_smartrat –>|uses| action_masquerading malware_smartrat –>|performs| action_file_deletion "

Attack Flow

View

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

Attack Narrative & Commands: The adversary has successfully gained initial access via a phishing campaign (T1566) and is now attempting to establish persistence. To blend in with legitimate system activity, the attacker uses a “Living-off-the-Land” approach, executing a malicious command that masquerades as a Microsoft Edge update process (T1036). The attacker executes a command-line instruction containing the string msedgeupdate.txt to trigger a simulated persistence mechanism, which in a real-world scenario would involve creating a scheduled task or service.

Regression Test Script:

# SmartRAT Persistence Simulation Script
# This script generates the specific command-line telemetry required to trigger the detection rule.

$TargetString = "msedgeupdate.txt"
$FakePath = "C:UsersPublicDocuments$TargetString"

# Create a dummy file to make the command line look somewhat realistic
New-Item -Path $FakePath -ItemType File -Force | Out-Null

Write-Host "[+] Simulating SmartRAT persistence via command line: $TargetString" -ForegroundColor Cyan

# Execute the command that triggers the detection logic
Start-Process cmd.exe -ArgumentList "/c echo 'Simulating SmartRAT activity with $TargetString' > $FakePath" -WindowStyle Hidden

Write-Host "[+] Simulation command executed." -ForegroundColor Green

Cleanup Commands:

# Cleanup the dummy file created during simulation
Remove-Item -Path "C:UsersPublicDocumentsmsedgeupdate.txt" -Force -ErrorAction SilentlyContinue
Write-Host "[+] Cleanup complete." -ForegroundColor Yellow

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free