B (3:43)

Yeah, I mean you mentioned certainly I think of image formats as being benign, but this use of steganography shows that that's not always the case.

C (3:54)

Yeah, exactly. And if you were to even analyze the image yourself or inspect would look benign if you didn't have the context in which the malware was unpacking it and unraveling it, it is really hard to extract what is actually going on and extract that malicious code. And this is why it's so effective. You can have malware embedded with images and they can be written to disk and antivirus can scan them all they want, but they won't be able to identify the hidden payload with inside the image because the method in which the malware is extracted using steganography, it's really hard for antiviruses to automatically detect that.

B (4:42)

Well, the research describes two versions of the lure here, the robot verification page and there's a fake Windows Update screen. Can you describe to us how are these different and what makes the update themed lure so convincing?

C (4:58)

Yeah, of course. So when we've got clickfix campaigns, we've got two real core components, we've got the lure and this is where we trick the user into actually copying or pasting and running a command and then we've got the actual malware. And this is as a result of the command. And the lure is really the most important part. The lure is where you convince the user or you trick the user that they need to do something, they need to copy a command or they need to maybe follow these steps in order to enter the website. So the first case was the robot verification or this is more one of the traditional click fix, fake capture type laws that we've been seeing for the good part of a year now. This, this, this lure was I believe likely vibe coded or AI developed in it. It didn't really look too genuine. However, we still see victims and it still tricks people. This could be because they're going to a trusted website, maybe a website which is they visit often and it's been compromised and they're just getting a pop up. And to somebody who works in tech or one of us in cybersecurity, it may be obvious that this is suspicious or unexpected. But for most people or for all people, this is not the case. And especially with ClickFix, which is a new threat, which is something which has only been around for a few years and it's not in everyone's security awareness training packages, we've got the Windows Update lil which we've been seeing only in the last few months. And this is very different to the traditional click fix lures which where you would visit the website and you'd be given a fake captcha or some pop up in order to access the website you were meant to be originally visiting with. The Windows Update lure when you visit the website it will try trick you into thinking Windows has started an update sequence and your browser will go into full screen, your mouse cursor will go hidden, you won't be able to see it and you will see the blue Windows update screen and it follows the sequence and you'll wait for 30, 40 seconds and then you're given the classic click fix instructions to press control R or Windows key R on your keyboard and that's to open the Windows run box and then the JavaScript in the background automatically copies to the clipboard a malicious command. And the lure instructs the user to paste the command into that Windows run box and then press Enter. And a lot of users would do this. Their screen would go into full screen. They may not be able to get out of that. They wouldn't be able to see their cursor. So a lot of users wouldn't know what to do in this position. And they're unlikely to call up it or ask for help when they've got some instructions right in front of them saying how they can potentially fix this issue. And this is why we saw it was so effective. And when the user presses enter and they run the command at that point, seconds later, malware Infinity malware is running. It is looking throughout the computer commonplaces on disk for browser credentials. Maybe there's cryptocurrency wallets, maybe there are sensitive files. And the infosteel malware will look in all these places and then it will exfiltrate it and steal it. And this data will be now in the hands of a criminal who can either sell it or use it.

B (8:48)

We'll be right back.

D (8:51)

The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot starting a business.

A (9:21)

Can seem like a daunting task unless you have a partner like Shopify. They have the tools you need to Start and grow your business. From designing a website to marketing, to selling and beyond. Shopify can help with everything you need. There's a reason millions of companies like Mattel, Heinz and Allbirds continue to trust and use them. With Shopify on your side, turn your big business idea into sign up for your $1 per month trial@shopify.com specialoffer.

B (9:53)

So it is a multi stage execution chain? Yes.

C (9:58)

Yes it is. So when I say we've got this, it's two parts, right? There's the lure and then the malware. The malware execution chain is itself made up of four or five stages. So it starts off with the user, as I mentioned, being told to paste a command. And when they paste the command, there will be a MSHTA executable. This is Microsoft's HTML application. This is native to Windows. This is a signed binary. This is legitimate and it won't trigger an antivirus detection. However, the context in which this MSHTA binary, we call them living off the land because they're native to Windows, but they can be abused for malicious activity. Well, it will download an additional payload and it will run this in memory, once again, avoiding disk, avoiding antivirus. And then this next payload will Download us a PowerShell script, and then the PowerShell script itself will decrypt and dynamically load some more code. And it sort of goes through this stage of going from one binary to another and decrypting some content until we've got this final stage where we've got a NET binary, and inside the net binary embedded within it is an image. This is where the steganography piece comes into it. Again, this is a PNG image and the PNG images are made up of pixels and each pixel has color information. We often refer to the color information RGB or rgba. And if you looked at this particular PNG image and you only looked at the strength, the number representing the R pixel, and you did some operations with this, you did some exclusive or bitwise operations and you would eventually extract the shellcode and the malware would do this. It would extract the shellcode and then inject it. And this happens instantaneously, basically after a user presses enter. However, it does take a while to unravel the campaign and go through each of the stages because the threat actors had put a lot of effort into obfuscating and using steganography. That is something we don't often see. And it's clear they wanted to make analysts like myself lives harder by splitting up into so many different stages. And also make it harder for antivirus and other EDRs to detect by obfuscating it.

B (12:46)

Well, your research mentions the payload, so you talk about Things like Luma C2 and the Rhadamanthus stealer. What are the capabilities of these infostealers?

C (12:58)

So, yeah, Luma Situ and Rhodamanthus, these are super well known infosteelers. They are known as and sort of malware as a service. So if you go on some of the dark web forums, you can buy sort of, I guess, licenses or access to LUMA C2 and Radamanthis. And then as a criminal, as a cybercriminal, you can go out and you can use this malware which you haven't developed yourself, but you're buying access to it. And then you can use this malware in these clicks fix campaigns. But these are both infostealers and to answer the question about the capabilities, they're both advanced info stealers that can capture a very wide range of credentials. So if you're using any sort of common browser that you would use on Windows or machine, the credentials in the browser if this infosteel was run may be exfiltrated. If you were using Outlook or maybe some of the common applications, once again these would be pillaged. The malware would strategically go through disk looking for common file paths which are hard coded where these credentials can be found. There is also interest in cryptocurrency. Cryptocurrency wallets and keys. Luma C2 can do an interesting capability. It can intercept clipboard information. So let's say you are, you're doing a transaction, a crypto transaction on your computer. Luma Infoseela can intercept the crypto wallets and the crypto keys as they're in the clipboard and they can detect them in the clipboard as being these keys and exfiltrate them back to the threat actor, which is an interesting way of stealing this data. But both of these are both info stealers. And recently, interestingly, both of these info stealers have been involved in takedowns this year. More recently, I think that was on the Operation Endgame. So Europol takedown, a coordinated law enforcement takedown of Rhadamanthis infrastructure, which was great to see. However, Luma C2 also, there was a takedown back in May. I don't think these are. They're going to stop them permanently. Infrastructure is going to be probably rebuilt over time and we may see them resurface.

B (15:34)

Who do you suppose is behind this? Is this a named threat actor?

C (15:41)

The Threat actors go by the malware names of Luma C2. They that is like an account on the forums. They will advertise as that. I don't know the individual. They often advertise on Russian cybercrime forums and they often advertise in Russian, which may suggest the identity, but I have no evidence to suggest that.

B (16:07)

Yeah, how do you rate their sophistication here?

C (16:13)

So these are low. We're talking about info stealers and these aren't zero days. We're not talking about APTS or nation state threats. These are info stealers which are targeting organizations via fresh phishing or sort of opportunistic threats. So as a whole, these aren't a super sophisticated threat, but they're a high impact threat. Info stealers as a whole are the most prolific malware we see in the wild. They're the most delivered. If you're going to have malware execution on the host, chances are it is an info stealer.

B (16:54)

Well, let's talk about defenses here. I mean, from a practical point of view, what should organizations be doing to protect themselves?

C (17:02)

That is a really, really good question. And there are a few good things organizations should be doing. And I really think most importantly is security awareness training that involves click fix and these fake capture techniques. I mentioned before, everyone or most people who've worked in a corporate job have been through some security awareness training where they've been told about the phishing threats and they've been told about the Nigerian princes, but most people aren't aware of what clickfix is and most people don't know that they shouldn't just copy and paste and run random commands that they're told to on websites. This isn't a known malicious thing to most normal people. So security awareness training is really important. But as we all know, the same with phishing, right? It doesn't always work. And this is why we need to implement stronger mitigation. So this could be blocking the Windows run box. You can do this by a group policy. You could make a registry modification to stop the Windows run box being able to pop up. And you can do the same with PowerShell. If I was a sysadmin, I was in a domain, I would use group policy and potentially lock it down to users who aren't in it because I don't know, there's bound to be one sysadmin which can complain about the run box being disabled, but that is a great way you can control it.

B (18:46)

Our thanks to Ben Folland from Huntress for joining us. The research is titled Click Fix Gets Malware Buried in Images. We'll have a link in the Show Notes and that's Research Saturday Brought to you by N2K CyberWire we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes, were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's challenge, toughest challenges, and shaping what comes next. Register today at rsaconference.com cyberwire26 I'll see you in San Francisco.