ï»żE-Banking Fraud: SCMBANKER Malware Leverages 'ClickFix' Lures to Hijack Financial Terminals
Executive Summary
Security researchers at Elastic Security Labs have disclosed a highly targeted, hands-on financial fraud campaign targeting banking, fintech, and cryptocurrency users across Mexico. Operating under the threat activity cluster REF6045, the campaign utilizes highly deceptive "ClickFix" fake CAPTCHA verification pages to compromise endpoints. Once a victim is tricked into running a malicious terminal command, the threat actor deploys a specialized PowerShell-based malware toolkit named SCMBANKER. Engineered to run silently on local machines, SCMBANKER intercepts active e-banking sessions, locks screens behind simulated bank warnings, alters copied bank account details via clipboard hijacking, and deploys commercial Remote Access Trojans (RATs) to execute complete financial account takeovers.
Deep-Dive Technical Analysis
The SCMBANKER attack sequence, monitored by Elastic Security Labs, highlights a worrying escalation in "operator-assisted" banking fraud that bypasses traditional browser sandboxing and secure connection alerts:
1. The ClickFix Lure and Fake CAPTCHAs: The campaign begins when a user is directed to a compromised website or a malicious advertisement. The page displays a highly realistic, simulated CAPTCHA verification prompt or a "browser error" warning.
2. Coerced Powershell Execution: To bypass the CAPTCHA or "fix" the error, the page instructs the user to press a combination of keys (such as Windows Key + R to open the Run dialog), paste a clipboard string, and press Enter. Behind the scenes, the ClickFix website utilizes automatic JavaScript scripts to copy a pre-crafted, encoded PowerShell command directly into the user's clipboard. When the user pastes and runs the command, they unwittingly download and execute the first-stage downloader.
3. The SCMBANKER Payload Capabilities: Once SCMBANKER is installed, the operator gains extensive control over the victim's web and desktop activities:
* Session Monitoring: The malware continuously monitors active process logs. When it detects that the user has opened a web browser session targeting a specific list of Mexican banking, fintech, or payment processing portals, it alerts the operator.
* Screen Locking and Social Engineering: The malware can freeze the victim's screen, displaying a highly realistic, full-screen bank warning or "system maintenance" alert. It prompts the user to input administrative PINs or redirects them to a live phone interaction with a fraudulent support agent.
* Clipboard Hijacking (Account Replacement): SCMBANKER active monitors the system clipboard. If the user copies a long string of numbers resembling a bank account number (Clabe) or a cryptocurrency wallet address, the malware instantly replaces the copied string with an account number controlled by the attacker, redirecting transfers during standard copy-paste operations.
4. Deploying Commercial RATs for Full Takeover: If the operator requires deeper access to execute transactions, SCMBANKER is configured to dynamically download and deploy full-scale commercial Remote Access Trojans (such as NetSupport RAT or Lumma), granting the attacker permanent, administrative interactive shell control over the endpoint.
Industry Impact and Recommendations
The SCMBANKER campaign highlights the danger of ClickFix social-engineering techniques, which shift the execution burden directly onto the victim. By tricking users into manually executing commands, threat actors completely sidestep automated browser defenses, including Google Safe Browsing and secure URL filters.
We recommend that all enterprise administrators, financial security officers, and individual developers implement the following immediate mitigations:
1. Enforce Developer and Employee Security Awareness: Conduct immediate training programs emphasizing that legitimate websites, cloud verification portals, and bank services will never require users to copy-paste commands into their Run dialog boxes, Terminal shells, or PowerShell environments.
2. Restrict PowerShell Execution Policies: Configure Group Policy Objects (GPOs) or MDM configurations to restrict standard, non-administrative users from executing unverified PowerShell scripts. Enforce PowerShell Constrained Language Mode (CLM) and validate script execution policies.
3. Deploy Advanced Endpoint Detection (EDR): Install advanced EDR tools configured to immediately flag and block anomalous parent-child process chains, such as standard web browsers (chrome.exe, msedge.exe) spawning CLI commands, command prompts, or PowerShell instances.
4. Implement Clipboard Integrity Safeguards: Encourage users to manually double-check and verify bank account numbers and destination routing addresses prior to executing any financial transactions, especially if the details were copied from digital documents or email chains.
References
* The Hacker News â SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
* Check Point Research â 6th July Threat Intelligence Report