kiaraearl/clickfix-ir-casestudy

# ClickFix RAT Incident Response — Case Study 🛡️ ## Incident Summary | Field | Details | |---|---| | **Date Detected** | May 2026 | | **Malware Family** | NetSupport Manager RAT | | **Delivery Method** | ClickFix (social engineering lure) | | **Affected System** | Personal Windows 11 Pro workstation | | **Severity** | High — remote access capability confirmed | | **Status** | ✅ Resolved | ## What Is ClickFix? ClickFix is a social engineering technique where a malicious webpage or pop-up instructs the victim to manually run a command — typically by pressing `Win + R` and pasting a PowerShell or CMD string — under the guise of "fixing" a browser error, CAPTCHA, or software issue. ## PICERL Incident Response Lifecycle ### 1. 🔍 Preparation - System was running Windows 11 Pro with standard user protections - No dedicated endpoint detection tooling was installed prior to the incident - Incident response was conducted independently using built-in Windows tools and Malwarebytes ### 2. 🚨 Identification **Initial indicators of compromise (IOCs):** - Unusual process activity observed in Task Manager - Suspicious executable identified: Process: client32.exe Location: C:\ProgramData\Ceobenika\Burmastev2\client32.exe - `C:\ProgramData` is a common persistence location for malware due to its low visibility to standard users - The directory names (`Ceobenika`, `Burmastev2`) were non-standard and consistent with obfuscated malware staging folders - NetSupport Manager confirmed as the RAT family based on the `client32.exe` binary name, a known indicator for this tool **Threat Intelligence:** NetSupport Manager RAT has been widely documented by threat researchers including CISA and multiple threat intel vendors as a common ClickFix payload used in financially motivated and initial access campaigns. ### 3. 🔒 Containment **Short-term containment steps:** - Disconnected system from the internet to prevent active C2 communication - Did not power off immediately to preserve volatile memory artifacts - Documented file paths, process names, and timestamps before remediation **Safe Mode boot:** - Rebooted into Windows Safe Mode with Networking to prevent the RAT from loading at startup - Safe Mode bypasses most third-party startup persistence mechanisms, allowing clean access to the file system ### 4. 🧹 Eradication **Step 1 — Malwarebytes Full Scan:** - Ran a full system scan using Malwarebytes in Safe Mode - Malwarebytes detected and quarantined associated malware components **Step 2 — Manual Artifact Removal:** - Navigated to `C:\ProgramData\Ceobenika\Burmastev2\` - Manually deleted `client32.exe` and all associated directory contents - Verified deletion and confirmed directory no longer existed post-removal **Step 3 — Registry & Persistence Check:** - Reviewed common persistence locations: - `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` - `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` - Startup folder entries - Removed any suspicious entries tied to the malware ### 5. 🔄 Recovery **Immediate recovery steps:** - Rebooted system into normal mode - Confirmed `client32.exe` process was no longer running - Re-ran Malwarebytes scan — returned clean - Changed passwords for all accounts accessible from the affected machine - Reviewed browser history and saved credentials for signs of exfiltration **Planned hardening (post-incident):** - [ ] Full Windows system reset to eliminate any persistence not caught manually - [ ] Enable BitLocker full-disk encryption - [ ] Install and configure Windows Defender with real-time protection enabled - [ ] Enable controlled folder access (ransomware protection) - [ ] Review and restrict PowerShell execution policy (`RemoteSigned` minimum) - [ ] Implement standard user account for daily use; admin account reserved for elevated tasks only ### 6. 📋 Lessons Learned | Lesson | Action Taken | |---|---| | ClickFix lures are convincing and target non-technical users | Document attack vector; share awareness with peers | | `C:\ProgramData` should be monitored for unusual directories | Added to personal monitoring checklist | | No endpoint detection = delayed identification | Malwarebytes now installed as baseline | | Manual IR is possible without enterprise tooling | Validated through this incident | | Full disk encryption was not enabled | BitLocker enablement planned | ## IOC Summary | Type | Value | |---|---| | Malware Family | NetSupport Manager RAT | | Process Name | `client32.exe` | | File Path | `C:\ProgramData\Ceobenika\Burmastev2\client32.exe` | | Delivery Method | ClickFix (manual command execution lure) | | Persistence Location | `C:\ProgramData` subdirectory | ## Tools Used | Tool | Purpose | |---|---| | Windows Task Manager | Initial process identification | | Windows Safe Mode | Containment — bypass startup persistence | | Malwarebytes (Free) | Automated detection and quarantine | | Windows Registry Editor | Persistence location review | | File Explorer / CMD | Manual artifact deletion | ## Key Takeaways for SOC / Help Desk Context - Real-world RAT identification and removal without enterprise tooling - Followed PICERL framework independently under pressure - Documented every step for reproducibility and reporting - Identified hardening gaps and created a concrete remediation plan - Demonstrates ability to think methodically during an active incident ## References - [CISA Alert — NetSupport RAT](https://www.cisa.gov/news-events/cybersecurity-advisories) - [ClickFix Technique — MITRE ATT&CK T1204.002](https://attack.mitre.org/techniques/T1204/002/) ## Author **Kiara Earl** CompTIA A+ Certified | WGU B.S. Cybersecurity & Information Assurance (Expected 2027) 📧 kimearls24@outlook.com 📍 Houston, TX 🔗 [Portfolio](https://kiaraearl.github.io/)