Recent findings indicate that ClearFake, an emerging threat using compromised WordPress sites to promote malicious counterfeit browser updates, is possibly orchestrated by the same threat group responsible for the SocGholish schemes. This connection was made by researchers at Sekoia.

ClearFake, which was termed by researcher Randy McEoin, was prominently discussed in August 2023. The title “ClearFake” stems from the prevalent use of Javascript in its operations without any obfuscation.

The individuals orchestrating ClearFake compromise WordPress platforms and insert JavaScript. This script then proceeds to download another JavaScript package from a domain owned by the attacker or, as noted since September 28, from the result of a requested smart contract on the Binance Smart Chain.

Once the payloads are downloaded, they produce an iframe element to accommodate the counterfeit update interface. This effectively conceals the original page, leading to the download of the counterfeit update interface along with its content and an HTML page.

When users access the compromised website, they are presented with a counterfeit update page for Chrome, Edge, and Firefox. It informs users of the necessity to update their browser to access the website’s content.

ClearFake’s counterfeit update page for Chrome was sourced from Sekoia. Proofpoint researchers have emphasized that these counterfeit update pages are provided in a variety of languages like English, French, German, Spanish, and Portuguese. This depends on the user’s browser language preference.

Unwary users who proceed with the download (sourced from Dropbox) will receive a genuine browser installer accompanied by malicious software. This includes threats like the modular HijackLoader or the akin IDAT loader.

Sekoia’s research team elucidated on HijackLoader’s features, which include multiple evasion tactics such as code injection, syscall utilization, Windows API hashing, and more. In recent times, HijackLoader has been known to dispense a series of common malicious software, ranging from Danabot and Lumma to Vidar.

With the combination of the “counterfeit updates” enticement and the watering hole strategy, ClearFake’s orchestrators target a diverse user base, enabling widespread malware distribution.

Although Proofpoint hasn’t ascribed ClearFake’s activities to a recognized entity, Sekoia speculates a connection to SocGholish. This is based on similarities in tactics, procedures, and techniques, including the use of watering holes and counterfeit update enticements.

Regardless of this connection, other entities are employing similar deceptive tactics. Proofpoint has documented activities linked to RogueRaticate/FakeSG and ZPHP/SmartApeSG.

Sekoia pointed out the effectiveness of counterfeit browser updates as a malware delivery strategy, as demonstrated by SocGholish and TA569. New perpetrators are observing these tactics and incorporating them, potentially evolving their threats over time.

To fortify their defenses, organizations must invest in user awareness, robust endpoint defenses, and vigilant network monitoring.

Experts also recommended the infosec.exchange account @monitorsg as a valuable tool to stay updated with the latest threat developments. The Emerging Threats Ruleset provides domain rules for current threats and frequently releases new rules to counteract counterfeit browser update schemes.