Unmasking MIMICRAT: How the New ClickFix Campaign Weaponizes Compromised Websites

Trust is the currency of the internet. We instinctively trust legitimate websites in established industries to be safe. Cybercriminals know this, and they are exploiting that trust with alarming sophistication. Security researchers have recently uncovered a new "ClickFix" campaign that does exactly this—hijacking reputable websites to deliver a previously undocumented Remote Access Trojan (RAT) known as MIMICRAT (also detected as AstarionRAT).

This isn't just another phishing email; it is a multi-stage operation leveraging the infrastructure of unsuspecting victims to launch attacks on others. Here at Security Arsenal, we are breaking down the mechanics of this threat and how you can defend your organization.

The Threat Landscape: ClickFix and MIMICRAT

The term "ClickFix" refers to a social engineering technique where users are tricked into believing their system is broken or requires an urgent update. Typically, this involves a fake browser error message or a pop-up claiming a video driver failed or a font is missing. The "fix" invariably requires the user to copy and paste a malicious command into a terminal or PowerShell window.

In this recent campaign, the delivery mechanism is particularly insidious. The attackers have compromised legitimate websites spanning multiple industries and geographies. These sites act as the command and control (C2) and delivery infrastructure.

Once the victim executes the "fix," the payload for MIMICRAT is deployed. MIMICRAT is a fully-featured RAT designed to give attackers complete remote control over an infected endpoint. Capabilities typically associated with this malware family include:

• Keylogging: Stealing credentials and sensitive data.
• Screen Capture: Spying on user activity.
• Remote Command Execution: Running arbitrary code.
• Lateral Movement: Spreading across the network.

Deep Dive Analysis: Operational Sophistication

What sets this campaign apart is the abuse of compromised legitimate sites. By hosting their malicious payloads on domains that otherwise have good reputation scores, attackers bypass traditional email security gateways and web filters that might block brand-new, suspicious domains.

The Attack Chain

1. Initial Access: Users are directed to compromised legitimate sites, often via malicious SEO (Search Engine Optimization) poisoning or malvertising.
2. Social Engineering (The ClickFix): The site displays a fake error message (e.g., "Please allow to view content" or "System Update Required").
3. User Action: The victim copies a PowerShell or Bash command provided on the screen and runs it.
4. Payload Retrieval: The script reaches back to the compromised infrastructure to download the MIMICRAT payload.
5. Execution & C2: The malware installs itself, establishes persistence, and connects back to the attacker's C2 server using the compromised site as a proxy.

Detection and Threat Hunting

Detecting ClickFix campaigns requires looking for anomalies in user behavior rather than just known bad signatures. We need to hunt for the mechanism of infection—browsers spawning shells and users running obscure commands.

1. Hunt for Browser-Spawned Shells (KQL)

A primary indicator of a ClickFix attack is a web browser process spawning a PowerShell or CMD window. This is highly unusual for standard business operations.

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("copy", "clip", "paste", "iex", "Invoke-Expression")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

2. PowerShell Persistence Checks (PowerShell)

Once MIMICRAT executes, it often establishes persistence via Registry Run keys or Scheduled Tasks. Use this PowerShell snippet to audit common persistence locations for suspicious entries that look obfuscated or recently modified.

# Check Registry Run Keys for non-standard binaries
$Paths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ItemProperty -Path $Path | 
        Get-ItemProperty | 
        Select-Object PSChildName, *, @{Name="Path";Expression={$Path}} | 
        Where-Object { $_.PSChildName -ne "(default)" }
    }
}

3. Web Server Log Analysis (Bash)

If you manage web servers, you should check for indicators that your site might be the compromised infrastructure being abused. Look for suspicious POST requests to unusual endpoints or high traffic spikes to specific directories.

# Analyze access logs for suspicious POST requests (example for Apache/Nginx combined format)
# Look for requests to .php or .jsp files that are not part of your CMS
LOG_FILE="/var/log/nginx/access.log"

# Find POST requests returning 200 OK status to potentially injected scripts
grep "POST" "$LOG_FILE" | awk '$9 == 200' | awk -F'"' '{print $2, $4}' | sort | uniq -c | sort -rn | head -20

Mitigation Strategies

To protect your organization from the MIMICRAT ClickFix campaign, you need a blend of technical controls and user awareness.

• Implement Application Control (AppLocker): Strictly limit which applications can run and prevent scripts from running in user directories unless explicitly allowed. Block PowerShell from running in the user context unless absolutely necessary.
• Web Filtering & Isolation: Deploy secure web gateways that can analyze content in real-time. Even if a site is legitimate, if it starts serving malware content, isolation solutions prevent the payload from reaching the endpoint.
• Aggressive PowerShell Logging: Enable Module Logging, Script Block Logging, and Transcription on all endpoints. This ensures that even if a script runs obfuscated, you have a record of what it did.
• User Education: Train employees to recognize the "Copy-Paste" scam. Legitimate tech support will never ask a user to open a terminal window and paste a random string of code.

Conclusion

The MIMICRAT campaign is a stark reminder that the line between "legitimate" and "malicious" infrastructure is blurring. By relying on compromised reputable sites, attackers are lowering their detection rates. Effective defense requires a shift from simple allow-listing of domains to behavioral analysis of process execution chains.

If you suspect your environment has been compromised or need assistance hunting for these indicators, our team is ready to respond.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub