name: ErrTraffic ClickFix XOR-Decoded PowerShell Dropper Analytic
signatureid: WEL-PSH135-RUN
category: 'Defense Evasion'
threatname: 'Obfuscated Files or Information: Command Obfuscation'
functionality: 'Microsoft Windows Powershell'
description: |
Detects the distinctive XOR-decode-and-execute PowerShell pattern used by the ErrTraffic
ClickFix distribution framework to deobfuscate and run its dropper stage. ErrTraffic is a
Malware-as-a-Service ClickFix toolkit (operator alias "LenAI") that, since its v3 release,
uses the EtherHiding technique (Polygon and BNB Smart Chain smart contracts) as a dead-drop
resolver to fetch C2 infrastructure and ClickFix lure content. After the victim is socially
engineered into pasting a "verification" command into Run or PowerShell, the resulting
PowerShell command line contains a Base64/character-code XORed string that is decoded inline
using bxor against [int][char] values before being invoked. This decode pattern is distinct
from generic obfuscation and is specific to ErrTraffic's PowerShell dropper stage as published
by Sekoia TDR.
reference:
- https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/
- https://www.levelblue.com/blogs/spiderlabs-blog/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign
- https://www.infostealers.com/article/the-industrialization-of-clickfix-inside-errtraffic/
labels:
- attack.defense_evasion
- attack.t1027
- attack.t1059.001
- attack.t1204.001
- ClickFix
- ErrTraffic
- EtherHiding
- LenAI
logsource:
service: powershell
product: windows
detection:
selection_comment_block:
ScriptBlockText|startswith: '<'
selection_xor_decode:
ScriptBlockText|contains|all:
- '#>'
- '-bxor[int][char]$'
- '[convert]::ToInt32'
- '-lt'
condition: selection_comment_block and selection_xor_decode
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
level2_metadata_attributes:TECHNICAL DETAILS
Sekoia TDR published this exact PowerShell ScriptBlockText detection logic for the
ErrTraffic framework:
detection:
selection:
action.properties.ScriptBlockText|startswith: "<"
action.properties.ScriptBlockText|contains|all:
- "#>"
- "-bxor[int][char]$"
- "[convert]::ToInt32"
- "-lt"
condition: selection
The leading "<" combined with a closing "#>" indicates a PowerShell block comment used
to wrap a "Code Verification" string (observed format: <# Code Verification: [12 digits] #>)
at the start of the command line copied to the victim's clipboard by the ErrTraffic
JavaScript. This comment has no functional purpose other than lending false legitimacy
to the pasted command and is a stable artifact across ErrTraffic's "Beer" cluster samples.
The remainder of the command line performs a character-by-character XOR decode loop:
converting characters to their integer ordinal values via [int][char], XORing them against
a key with -bxor, and reassembling the plaintext command (typically a download-and-execute
dropper) for execution via Invoke-Expression or equivalent.
False positives: Expected to be extremely low. The combination of a leading comment block,
-bxor, [int][char], and [convert]::ToInt32 in a single PowerShell invocation has no known
legitimate administrative use case; legitimate obfuscation/deobfuscation routines in signed
enterprise tooling would not typically present with this exact combination of artifacts.
Policy building walkthrough can be found in this previous post: