SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
SCMBANKER (REF6045) is a new banking malware cluster targeting Mexican financial institutions using ClickFix lures disguised as CAPTCHA verifications. The toolkit leverages Large Language Models (LLMs) for code generation, resulting in a mix of clean, commented code and obfuscated, poorly crafted scripts. Attackers use social engineering tactics like fake Windows Update screens and persistent UAC prompts to force administrative privileges and maintain victim attention. Capabilities include banki
Analysis
TL;DR
- SCMBANKER (REF6045) is a new banking malware cluster targeting Mexican financial institutions using ClickFix lures disguised as CAPTCHA verifications.
- The toolkit leverages Large Language Models (LLMs) for code generation, resulting in a mix of clean, commented code and obfuscated, poorly crafted scripts.
- Attackers use social engineering tactics like fake Windows Update screens and persistent UAC prompts to force administrative privileges and maintain victim attention.
- Capabilities include banking session monitoring, clipboard hijacking for CLABE/card numbers, vishing overlays, and deployment of commercial Remote Access Tools (RATs).
- Operational security failures allowed researchers to retrieve the full web root, revealing the infrastructure and modular PowerShell-based architecture.
Why It Matters
This incident highlights the growing trend of threat actors utilizing AI tools to accelerate malware development, even if the resulting code quality varies. It demonstrates how simple social engineering techniques, combined with persistent user interaction requirements, can bypass traditional security controls. For defenders, it underscores the need to monitor for unusual PowerShell activities and fake UI overlays that mimic system updates or security warnings.
Technical Details
- Initial Access: Victims are directed to fake CAPTCHA pages (e.g., identifying fire hydrants) that instruct them to paste a malicious command into the Windows Run dialog, triggering a batch script.
- Persistence and Privilege Escalation: The script uses
bitsadminto download components, repeatedly prompts for UAC elevation every 20 seconds, and locks mouse movement to prevent users from closing the distraction window (fake Windows Update onfakeupdate.net). - Modular Architecture: A VBScript launcher (
run.vbs) executes multiple parallel PowerShell modules:edifhjwe.ps1: Self-update mechanism.cliente.ps1: C2 beacon and implant control.clip.ps1/clip2.ps1: Clipboard hijacking for CLABE and card numbers.ini.ps1/jujuzkt.ps1: Banking monitor that screenshots and logs keystrokes when Mexican bank windows are detected.rotor2.ps1/mensaje1.ps1: Vishing engine displaying fake security warnings to force phone calls.remo.ps1/jujuzkt2.ps1: Browser redirector sending victims to phishing sites via clipboard injection.
- AI-Assisted Development: Code analysis reveals signs of LLM assistance, characterized by descriptive function names and heavy comments juxtaposed with shortened variables and manual obfuscation, suggesting the use of inline coding assistants like Copilot or Cursor.
Industry Insight
- AI in Cybercrime: The presence of AI-generated code indicates that attackers are increasingly adopting generative AI to lower the barrier to entry for sophisticated malware development, necessitating updated detection signatures for AI-specific code patterns.
- User-Centric Defense: The reliance on prolonged user interaction (UAC prompts, fake updates) suggests that security awareness training focusing on recognizing these specific social engineering traps could significantly reduce infection rates.
- Monitoring PowerShell: Given the heavy use of PowerShell for modular execution and C2 communication, organizations should implement strict application whitelisting and behavioral monitoring for suspicious PowerShell activities, especially those involving clipboard manipulation or remote downloads.
Disclaimer: The above content is generated by AI and is for reference only.