Tuesday, December 10, 2024
Homecyber securityHackers Using ClickFix Social Engineering Tactics to Deploy Malware

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Published on

SIEM as a Service

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery, dubbed the “ClickFix” infection chain.

This novel attack strategy leverages advanced social engineering techniques to manipulate unsuspecting users into executing malicious scripts, leading to severe security breaches.

This article delves into the intricacies of the ClickFix method, its implications, and the steps users can take to protect themselves.

- Advertisement - SIEM as a Service
Prevalence for the last three months

The ClickFix Infection Chain

The ClickFix infection chain begins with users being lured to visit seemingly legitimate but compromised websites.

These websites are meticulously crafted to appear genuine, significantly increasing the likelihood of user compliance. Upon visiting these sites, victims are redirected to domains hosting fake popup windows.

These popups instruct users to paste a script into a PowerShell terminal, a command-line shell used for task automation and configuration management.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Once the script is pasted and executed in the PowerShell terminal, the malware can infiltrate the victim’s system. This can lead to data theft, system compromise, or further propagation of the malware.

The sophistication of this method lies in its ability to exploit the trust users place in seemingly authentic websites and prompts.

Malware Families Leveraging ClickFix

Two notable malware families, Lumma Stealer and DarkGate, have been observed leveraging the ClickFix technique.

Lumma Stealer is known for its ability to extract sensitive information, including passwords, credit card details, and other personal data, from infected systems.

DarkGate, on the other hand, is a more advanced threat that steals sensitive information, provides remote access, and establishes persistent backdoors in compromised systems.

DarkGate employs advanced evasion tactics, making it difficult to detect and remove. It can spread within networks, posing a significant cybersecurity threat.

Combining these malware families with the ClickFix technique represents a formidable challenge for cybersecurity professionals.

The Role of Phishing Emails

McAfee Labs obtained a phishing email from their spamtrap containing an HTML attachment masquerading as a Word document. Phishing emails play a crucial role in the ClickFix infection chain.

The HTML file displayed an error prompt designed to deceive users into taking actions that could lead to the download and execution of malicious software.

Email with Attachment

The phishing email tactic is particularly effective because it exploits the user’s familiarity with common file types and error messages.

By presenting a seemingly legitimate problem and offering a solution, the attackers increase the likelihood that users will follow the instructions and inadvertently execute the malicious script.

Technical Analysis

Upon examining the code within the HTML attachment, researchers discovered several base64-encoded content blocks. These blocks contained the malicious script users were instructed to paste into their PowerShell terminal.

The script, once executed, initiates the malware download and installation process.

Displays extension problem issue
Displays extension problem issue

This method of encoding and disguising the malicious script is a testament to the attackers’ sophistication. By hiding the true nature of the script within encoded blocks, they make it more challenging for automated security systems to detect and block the threat.

HTML contains Base64-encoded content in the title tag
After decoding the code
After decoding the code

Protecting Against ClickFix

To protect against the ClickFix infection chain and similar threats, users should follow these best practices:

  1. Be Cautious with Emails and Attachments: Always verify the sender’s identity before opening any email attachments, especially if they are unexpected or from unknown sources.
  2. Avoid Pasting Scripts: Never paste scripts or commands from untrusted sources into your terminal or command prompt.
  3. Use Security Software: Ensure your security software is up-to-date and capable of detecting and blocking advanced threats.
  4. Educate Yourself and Others: Stay informed about the latest cybersecurity threats and educate others about the risks and best practices for staying safe online.

The discovery of the ClickFix infection chain highlights the ever-evolving nature of cyber threats and the importance of vigilance in the digital age.

By understanding the tactics used by attackers and taking proactive measures to protect themselves, users can reduce the risk of falling victim to these sophisticated social engineering schemes.

As cybersecurity threats continue to grow in complexity, staying informed and cautious is more critical than ever.

Indicators of Compromise (IoCs)

FileSHA256
DarkGate
Emailc5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PSe9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URLtuchinehd[.]com
PS07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXEe60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...