Velvet Tempest Links Termite Ransomware to ClickFix CastleRAT Campaign

Campaign Overview

Security researchers at BleepingComputer have identified connections between recent Termite ransomware breaches and the threat actor group Velvet Tempest. The attackers are leveraging the ClickFix social engineering technique alongside legitimate Windows utilities to deploy a multi-stage infection chain.

Attack Chain Analysis

The campaign follows a sophisticated multi-stage approach:

Initial Access

Velvet Tempest employs the ClickFix technique, a social engineering method that tricks users into executing malicious code by presenting fake error messages or system prompts that require user interaction to "fix" supposed issues.

Payload Deployment

Once initial access is achieved, the threat actors deploy:

DonutLoader: A reflective loader that executes shellcode and .NET assemblies directly in memory
CastleRAT: A remote access trojan providing persistent backdoor access to compromised systems

Living-off-the-Land Tactics

The attackers extensively use legitimate Windows utilities to blend their activities with normal system operations, making detection significantly more challenging for security teams.

Technical Implications

This campaign demonstrates several concerning trends in ransomware operations:

Social Engineering Evolution: The ClickFix technique represents a refinement in social engineering tactics, exploiting users' willingness to resolve apparent system issues
Evasion Sophistication: By leveraging legitimate Windows tools, attackers reduce their malware footprint and increase the likelihood of bypassing security controls
Multi-Stage Infections: The use of multiple payloads allows for greater operational flexibility and redundancy

Detection and Mitigation

Security teams should focus on:

Monitoring for unusual execution of legitimate Windows utilities in suspicious contexts
Implementing user awareness training specifically covering social engineering techniques like ClickFix
Deploying behavioral analysis tools capable of detecting multi-stage infection chains
Establishing baseline behaviors for system utilities to identify anomalous usage patterns

Sources

https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

Campaign Overview

Attack Chain Analysis

The campaign follows a sophisticated multi-stage approach:

Initial Access

Payload Deployment

Once initial access is achieved, the threat actors deploy:

DonutLoader: A reflective loader that executes shellcode and .NET assemblies directly in memory

CastleRAT: A remote access trojan providing persistent backdoor access to compromised systems

Living-off-the-Land Tactics

The attackers extensively use legitimate Windows utilities to blend their activities with normal system operations, making detection significantly more challenging for security teams.

Technical Implications

This campaign demonstrates several concerning trends in ransomware operations:

Social Engineering Evolution: The ClickFix technique represents a refinement in social engineering tactics, exploiting users' willingness to resolve apparent system issues

Evasion Sophistication: By leveraging legitimate Windows tools, attackers reduce their malware footprint and increase the likelihood of bypassing security controls

Multi-Stage Infections: The use of multiple payloads allows for greater operational flexibility and redundancy

Detection and Mitigation

Security teams should focus on:

Monitoring for unusual execution of legitimate Windows utilities in suspicious contexts

Implementing user awareness training specifically covering social engineering techniques like ClickFix

Deploying behavioral analysis tools capable of detecting multi-stage infection chains

Establishing baseline behaviors for system utilities to identify anomalous usage patterns