Google Cloud Blog
Follow
A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
Mandiant's Frontline Bulletin Series details a campaign involving UNC5518 and UNC5774 threat groups, leading to the deployment of CORNFLAKE.V3 malware. UNC5518 compromises websites to serve fake CAPTCHA pages, using a technique called ClickFix to lure victims into executing downloader scripts. These scripts then facilitate malware infections by other threat actors, acting as an access-as-a-service provider. UNC5774 is a financially motivated group known to use the CORNFLAKE backdoor to deploy various payloads. CORNFLAKE.V3 is an updated backdoor written in JavaScript or PHP, capable of retrieving and executing payloads like executables and DLLs. It also establishes host persistence through registry Run keys and abuses Cloudflare Tunnels for C2 communication. The analyzed campaign began with suspicious PowerShell activity on a host, traced back to a user interacting with a fake CAPTCHA page. This page copied a malicious PowerShell command to the clipboard, which was then executed via the Windows Run dialog. The PowerShell dropper downloads and extracts Node.js, then uses node.exe to execute the CORNFLAKE.V3 backdoor payload, which is base64 encoded. The dropper includes anti-virtual machine checks, exiting if it detects low system resources or specific virtualized environments. Once executed, CORNFLAKE.V3 performs reconnaissance, establishes persistence, and attempts credential harvesting through methods like Kerberoasting.