AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 46

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users SCMBANKER恶意软件利用ClickFix诱饵针对墨西哥银行用户

SCMBANKER (REF6045) is a new banking malware cluster targeting Mexican financial institutions using ClickFix lures disguised as CAPTCHA verifications. The toolkit leverages Large Language Models (LLMs) for code generation, resulting in a mix of clean, commented code and obfuscated, poorly crafted scripts. Attackers use social engineering tactics like fake Windows Update screens and persistent UAC prompts to force administrative privileges and maintain victim attention. Capabilities include banki Elastic Security Labs发现名为SCMBANKER的新型恶意软件集群(REF6045),专门针对墨西哥银行及加密货币用户,利用ClickFix诱饵进行传播。 攻击者利用大型语言模型(LLM)辅助开发恶意代码,导致代码呈现“AI生成注释”与“手动混淆变量”并存的特征,且存在明显的操作安全漏洞。 SCMBANKER具备银行会话监控、剪贴板劫持、虚假电话交互覆盖(Vishing)及远程访问工具(RAT)部署等能力,可实现对受害者的部分或完全控制。 感染过程通过伪造CAPTCHA验证页面诱导用户执行PowerShell命令,随后利用假Windows更新界面分散注意力以获取管理员权限并

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • SCMBANKER (REF6045) is a new banking malware cluster targeting Mexican financial institutions using ClickFix lures disguised as CAPTCHA verifications.
  • The toolkit leverages Large Language Models (LLMs) for code generation, resulting in a mix of clean, commented code and obfuscated, poorly crafted scripts.
  • Attackers use social engineering tactics like fake Windows Update screens and persistent UAC prompts to force administrative privileges and maintain victim attention.
  • Capabilities include banking session monitoring, clipboard hijacking for CLABE/card numbers, vishing overlays, and deployment of commercial Remote Access Tools (RATs).
  • Operational security failures allowed researchers to retrieve the full web root, revealing the infrastructure and modular PowerShell-based architecture.

Why It Matters

This incident highlights the growing trend of threat actors utilizing AI tools to accelerate malware development, even if the resulting code quality varies. It demonstrates how simple social engineering techniques, combined with persistent user interaction requirements, can bypass traditional security controls. For defenders, it underscores the need to monitor for unusual PowerShell activities and fake UI overlays that mimic system updates or security warnings.

Technical Details

  • Initial Access: Victims are directed to fake CAPTCHA pages (e.g., identifying fire hydrants) that instruct them to paste a malicious command into the Windows Run dialog, triggering a batch script.
  • Persistence and Privilege Escalation: The script uses bitsadmin to download components, repeatedly prompts for UAC elevation every 20 seconds, and locks mouse movement to prevent users from closing the distraction window (fake Windows Update on fakeupdate.net).
  • Modular Architecture: A VBScript launcher (run.vbs) executes multiple parallel PowerShell modules:
    • edifhjwe.ps1: Self-update mechanism.
    • cliente.ps1: C2 beacon and implant control.
    • clip.ps1/clip2.ps1: Clipboard hijacking for CLABE and card numbers.
    • ini.ps1/jujuzkt.ps1: Banking monitor that screenshots and logs keystrokes when Mexican bank windows are detected.
    • rotor2.ps1/mensaje1.ps1: Vishing engine displaying fake security warnings to force phone calls.
    • remo.ps1/jujuzkt2.ps1: Browser redirector sending victims to phishing sites via clipboard injection.
  • AI-Assisted Development: Code analysis reveals signs of LLM assistance, characterized by descriptive function names and heavy comments juxtaposed with shortened variables and manual obfuscation, suggesting the use of inline coding assistants like Copilot or Cursor.

Industry Insight

  • AI in Cybercrime: The presence of AI-generated code indicates that attackers are increasingly adopting generative AI to lower the barrier to entry for sophisticated malware development, necessitating updated detection signatures for AI-specific code patterns.
  • User-Centric Defense: The reliance on prolonged user interaction (UAC prompts, fake updates) suggests that security awareness training focusing on recognizing these specific social engineering traps could significantly reduce infection rates.
  • Monitoring PowerShell: Given the heavy use of PowerShell for modular execution and C2 communication, organizations should implement strict application whitelisting and behavioral monitoring for suspicious PowerShell activities, especially those involving clipboard manipulation or remote downloads.

TL;DR

  • Elastic Security Labs发现名为SCMBANKER的新型恶意软件集群(REF6045),专门针对墨西哥银行及加密货币用户,利用ClickFix诱饵进行传播。
  • 攻击者利用大型语言模型(LLM)辅助开发恶意代码,导致代码呈现“AI生成注释”与“手动混淆变量”并存的特征,且存在明显的操作安全漏洞。
  • SCMBANKER具备银行会话监控、剪贴板劫持、虚假电话交互覆盖(Vishing)及远程访问工具(RAT)部署等能力,可实现对受害者的部分或完全控制。
  • 感染过程通过伪造CAPTCHA验证页面诱导用户执行PowerShell命令,随后利用假Windows更新界面分散注意力以获取管理员权限并静默安装组件。

为什么值得看

本文揭示了AI生成代码在恶意软件开发中的具体应用模式及其遗留的指纹特征,为安全研究人员识别AI辅助攻击提供了新的检测思路。同时,该案例展示了针对特定地区金融生态系统的精细化社会工程学攻击手法,对金融机构的风险防控具有重要警示意义。

技术解析

  • 传播与初始感染:攻击始于伪装成Google reCAPTCHA的虚假验证页面,要求用户识别消防栓图片。验证后,页面指示用户将恶意命令复制到Windows运行对话框中,触发批处理脚本执行。
  • 权限提升与持久化:脚本通过每20秒弹出一次UAC提示并锁定鼠标来迫使受害者授予管理员权限。安装完成后,通过Windows启动文件夹和注册表Run键实现持久化,并利用VBScript作为主启动器并行加载多个模块。
  • 模块化功能架构:恶意软件包含多个PowerShell模块,分别负责自我更新(edifhjwe.ps1)、C2信标(cliente.ps1)、RAT下载(avs.ps1)、剪贴板劫持(clip.ps1/clip2.ps1)以及银行活动监控(jujuzkt.ps1)。
  • AI辅助开发特征:代码中存在大量描述性函数名和解释性注释,与简短的手动混淆变量并存,且注释位置紧贴代码行,表明作者可能使用了Copilot或Cursor等内联编码助手,并在事后进行了手动混淆。
  • 操作安全失误:攻击者因基础设施配置错误,在开放目录中泄露了包含完整Web根目录的ZIP压缩包,使研究人员得以逆向分析其全部组件和逻辑。

行业启示

  • AI双刃剑效应:攻击者正广泛利用LLM降低恶意软件开发门槛,安全团队需建立针对AI生成代码特征(如特定注释风格、变量命名习惯)的检测机制,以应对日益智能化的网络威胁。
  • 社会工程学升级:结合虚假UI反馈(如假更新屏幕)和心理操控(如UAC弹窗轰炸)的多阶段攻击手法,要求企业和用户加强对非标准系统行为和多因素验证流程的警惕性。
  • 供应链与基础设施安全:即使是攻击者也会因基本的操作安全疏忽(如开放目录权限)而暴露自身,这提示组织应定期审计外部服务和内部配置,防止敏感数据意外泄露。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全