Yashvi Shah and Vignesh Dhatchanamoorthy
McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.
The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.
We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:
Figure 1:Prevalence for the last three months
Darkgate ingesting via “ClickFix”
DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.
Figure 2: Email with Attachment
The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.
Figure 3: Displays extension problem issue
As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”
Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.
Figure 4: HTML contains Base64-encoded content in the title tag
Decoding this we get,
Figure 5: After decoding the code
The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:userspublicIx.hta.
The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.
Upon further inspection of the HTML page, we found a javascript at the end of the code.
Figure 6: Decoding function snippet
This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.
In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.
Let’s delve into it practically:
Figure 7: Clipboard contains malicious command
The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.
Once the user does this, the HTA file gets downloaded.
Figure 8: HTA code snippet
The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.
Figure 9: Powershell code snippet
As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.
Figure 10: Downloaded zip contains AutoIT script
Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.
A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.
Lumma Stealer ingesting via “ClickFix”
McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.
Figure 11: Showing error on accessing the webpage
It directs the target user to perform the following steps:
Click on the “Copy Fix” button.
Right-click on the Windows icon.
Open Windows PowerShell (Admin).
Right-click within the open terminal window.
Wait for the update to complete.
Let’s analyze the code that gets copied when clicking the “Copy Fix” button.
Figure 12: Base64-encoded content
As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:
Figure 13: After decoding the Base64 content
This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.
Upon execution, the following process tree flashes:
Figure 14: Process Tree
As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:
Figure 15: Network activity
The malware is unzipped and dropped in the same folder:
Figure 16: Dropped files
The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.
Conclusion:
In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.
Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.
Mitigations:
At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:
Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
Install and maintain updated antivirus and anti-malware software on all endpoints.
Implement robust email filtering to block phishing emails and malicious attachments.
Use web filtering solutions to prevent access to known malicious websites.
Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
Use network segmentation to limit the spread of malware within the organization.
Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
Continuously monitor and analyze system and network logs for signs of compromise.
Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.
Indicators of Compromise (IoCs)
File
SHA256
DarkGate
Email
c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html
0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA
5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PS
e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP
8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script
7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URL
tuchinehd[.]com
PS
07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP
6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXE
e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9
The post ClickFix Deception: A Social Engineering Tactic to Deploy Malware appeared first on McAfee Blog.
More Stories
Scams Based on Fake Google Emails
Scammers are hacking Google Forms to send email to victims that come from google.com. Brian Krebs reports on the effects....
Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%
The vacuum left by RedLine’s takedown will likely lead to a bump in the activity of other a infostealers Read...
The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)
In episode 30 of The AI Fix, AIs are caught lying to avoid being turned off, Apple’s AI flubs a...
US and Japan Blame North Korea for $308m Crypto Heist
A joint US-Japan alert attributed North Korean hackers with a May 2024 crypto heist worth $308m from Japan-based company DMM...
Spyware Maker NSO Group Found Liable for Hacking WhatsApp
A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse...
Spyware Maker NSO Group Liable for WhatsApp User Hacks
A US judge has ruled in favor of WhatsApp in a long-running case against commercial spyware-maker NSO Group Read More