Today, Mandiant Threat Defense published new research on a multi-stage threat that begins with a deceptive social engineering tactic and leads to the deployment of a versatile backdoor. Our research, "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor," details an access-as-a-service scheme where the threat actor UNC5518 uses fake CAPTCHA pages to trick users into providing initial access for other threat groups.
This initial access is then leveraged by actors like UNC5774 to deploy the CORNFLAKE.V3 backdoor. This malware, seen in both JavaScript (via Node.js) and PHP variants, allows attackers to establish persistence, conduct reconnaissance, and execute additional payloads, including credential harvesting tools and other backdoors. The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box.
Given the reliance on social engineering and the abuse of legitimate software like Node.js and PHP, it is critical for organizations to focus on both user education and proactive threat hunting.
For a complete technical analysis of the malware and the threat actors involved, please read the full blog here.
Recommendations
- Educate Users: Train employees to recognize and avoid social engineering tactics like ClickFix. Specifically, instruct them never to copy and paste commands from a website into a PowerShell window or the Windows Run dialog box.
- Harden Endpoints: Where feasible for your environment, consider using Group Policy or other endpoint management tools to disable the Windows Run command (Windows+R) to mitigate this specific infection vector.
- Hunt for Compromise: Actively search for signs of this activity in your environment using the hunting queries provided below. Early detection of the initial downloader script can prevent the deployment of the backdoor and subsequent malicious activity.
- Monitor Process Activity: Monitor for suspicious process chains, such as powershell.exe downloading files from the internet and subsequently launching interpreters like node.exe or php.exe from non-standard user profile directories (e.g., %APPDATA%).
Google Cloud Security Protections for CORNFLAKE.V3
For Google Security Operations Enterprise and Enterprise+ customers, relevant product threat detections have been automatically delivered to your tenants as part of the Mandiant Intel Emerging Threats curated detections rule set.
The following detections can help identify the activity discussed in this blog:
- Powershell Executing NodeJS
- Powershell Writing To Appdata
- Suspicious Clipboard Interaction
- NodeJS Reverse Shell Execution
- Download to the Windows Public User Directory via PowerShell
- Run Utility Spawning Suspicious Process
- WSH Startup Folder LNK Creation
- Trycloudflare Tunnel Network Connections
If you are a SecOps Standard or legacy Chronicle SIEM customer, you can leverage the same detection logic by downloading the rules from our community .
Detection Through Google Security Operations
SecOps Hunting Queries
The below UDM queries can be used to identify potential compromises within your environment.
Execution of CORNFLAKE.V3 - Node.js
Search for potential compromise activity where PowerShell is used to launch node.exe from %AppData% path with the -e argument, indicating direct execution of a malicious JavaScript string.
metadata.event_type = "PROCESS_LAUNCH"
principal.process.file.full_path = /powershell\.exe/ nocase
target.process.file.full_path = /appdata\\roaming\\.*node\.exe/ nocase
target.process.command_line = /"?node\.exe"?\s*-e\s*"/ nocase
Execution of CORNFLAKE.V3 - PHP
Search for compromise activity where PowerShell is executing php.exe from %AppData% path. This variant is characterized by the use of the -d argument, executing a PHP script without a .php file extension, and passing the argument 1 to the PHP interpreter, indicating covert execution of malicious PHP code.
metadata.event_type = "PROCESS_LAUNCH"
principal.process.file.full_path = /powershell\.exe/ nocase
target.process.file.full_path = /appdata\\roaming\\.*php\.exe/ nocase
target.process.command_line = /"?php\.exe"?\s*-d\s.*1$/ nocase
target.process.command_line != /\.php\s*\s*/ nocas
CORNFLAKE.V3 Child Process Spawns
Search suspicious process activity where cmd.exe or powershell.exe are spawned as child processes from node.exe or php.exe when those executables are located in %AppData%.
metadata.event_type = "PROCESS_LAUNCH"
principal.process.file.full_path = /appdata\\roaming\\.*node\.exe|appdata\\roaming\\.*php\.exe/ nocase
target.process.file.full_path = /powershell\.exe|cmd\.exe/ nocas
Suspicious connections to Node.js/PHP domains
Search unusual network connections initiated by powershell.exe or mshta.exe to legitimate Node.js (nodejs.org) or PHP (windows.php.net) infrastructure domains.
metadata.event_type = "NETWORK_CONNECTION"
principal.process.file.full_path = /powershell\.exe|mshta\.exe/ nocase
target.hostname = /nodejs\.org|windows\.php\.net/ nocase
Google Threat Intelligence Resources
Additional IOCs and details are also available to customers in the following reports:
If you believe your systems may be compromised or require assistance responding to this activity in your environment, contact Mandiant for incident response assistance:
- Web Form: https://www.mandiant.com/contact
- US: +1 (844) 613-7588
- International: +1 (703) 996-3012
- Email: investigations@mandiant.com