Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT
Threat actors are leveraging deceptive tactics to distribute a fileless variant of AsyncRAT, a notorious remote access Trojan.
Discovered during routine attacker infrastructure analysis, this operation employs a fake verification prompt themed around the “Clickfix” technique to trick users into executing malicious commands.
The campaign, which appears to target German-speaking individuals as evidenced by the linguistic cues in the prompt, uses obfuscated PowerShell scripts and in-memory execution to deploy the malware without ever writing files to disk, posing a significant challenge to traditional antivirus solutions.
Deceptive Campaign Targets German-Speaking Users
The attack begins when victims encounter a seemingly innocuous verification page prompting them to click “I’m not a robot.”
Upon interaction, a malicious command is copied to their clipboard, accompanied by the German instruction “Drücke enter um deine identität zu bestätigen!” (Press enter to confirm your identity!).
According to CloudSEK Report, this command utilizes the legitimate Windows utility conhost.exe to invoke a hidden PowerShell instance with flags like -w hidden and -nop to execute a payload retrieved from a remote server (http://namoet[.]de:80/x).
The script then decodes an obfuscated base64 string, revealing a connection to a command-and-control (C2) server at namoet[.]de:4444, and compiles reversed C# code in memory using Add-Type.
This approach ensures persistence via registry keys such as HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRunOnce and facilitates full remote control, credential theft, and data exfiltration all while evading file-based detection mechanisms.
Sophisticated Fileless Malware
Technical analysis reveals AsyncRAT’s signature tactics, including the use of PowerShell for stealth execution (MITRE T1059.001), in-memory C# compilation (T1127.001), and TCP-based C2 communication over non-standard ports like 4444 (T1571).
The payload establishes persistence by embedding commands in registry paths and employs advanced obfuscation techniques, such as reversed strings and reflective loading, to thwart analysis.
Once active, it redirects standard input/output for command execution, enabling attackers to maintain covert access for prolonged periods.
This campaign, potentially active since at least April 2025 based on associated infrastructure, underscores the growing sophistication of fileless malware delivery.
To counter this threat, organizations should prioritize mitigations like blocking suspicious PowerShell executions via EDR or AppLocker, enforcing network segmentation to filter egress traffic to known C2 domains, and monitoring registry changes for unauthorized persistence mechanisms.
Implementing PowerShell Constrained Language Mode and enabling script logging can further aid in detecting obfuscated code, while memory scanning with tailored YARA rules offers a proactive defense against in-memory payloads.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Use |
|---|---|---|
| IP | 109.250.111[.]155 | Clickfix Delivery |
| FQDN | namoet[.]de | Clickfix / C2 Server |
| Port | 4444 | TCP Reverse Shell Listener |
| URL | hxxp[:]//namoet[.]de:80/x | PowerShell Payload |
| Registry (HKCU) | SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows | Persistence on Boot |
| Registry (HKCU) | SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin | Holds Obfuscated Command |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
