According to ESET data, ClickFix social engineering tactics as initial access vectors using fake capture validation increased by 517% between the second half of 2024 and the first half of this year.
“The list of threats led by Clickfix attacks grows day by day, including Infostealers, Ransomware, Remot Access Trojans, Cryptominers, exploitation Tools, and even custom malware from nation-state parallel threat actors,” said Director of ESET’s Threat Prevention Lab.
Clickfix has become a widespread, common and deceptive way to use fake error messages or Captcha validation checks to copy and paste malicious scripts into a Windows Run dialog or Apple MacOS terminal app to run and run, then tempt victims to run and run.
The Slovak Cybersecurity Company said the most detection of Clickfixes is concentrated in Japan, Peru, Poland, Spain and Slovakia.
The prevalence and effectiveness of this attack method led to ad builders for threat actors who provide Clickfix-Weaponized Landing Pages to other attackers, ESET added.
From Clickfix to FileFix
This development involves security researcher MRD0X demonstrating a proof of concept (POC) to replace FileFix named ClickFix, which means copying and pasting the file path to the user and pasting it into Windows File Explorer.
This technique involves achieving essentially the same as Clickfix, but is achieved in a different way by combining the functionality of File Explorer, which uses the file upload feature of a web browser to execute operating system commands via the address bar.
In attack scenarios devised by researchers, threat actors may devise phishing pages. Instead of displaying fake Captcha checks on future targets, the phishing page may present a message that says that the document will be shared and that you need to copy and paste the file path in the address bar by pressing Ctrl+L.
The phishing page also includes the notable “Open File Explorer” that opens File Explorer when clicked and copies malicious PowerShell commands to the user’s clipboard. So, if the victim pastes the “file path”, the attacker’s command will be executed instead.
This is accomplished by changing the copied file path and changing the PowerShell command to PREPEND. It then adds space to display the space and space to hide the pound sign (“#”) and treats the fake file path as a comment.Powershell.exe -c ping Example.com#c:\\ decoy.doc“
“In addition, the PowerShell command concatenates the dummy file path after the comment to hide the command and display the file path,” MRD0X said.
There are plenty of fishing campaigns
The surge in Clickfix campaigns coincides with the discoveries of various phishing campaigns over the last few weeks –
- Use the .gov domain to send phishing emails with unpaid tolls to take users to fake pages designed to collect personal and financial information
- Longevity Domains (LLDS), a technique known as strategic domain aging, are now hosted or used to redirect users to a capture check page, leading them to a Microsoft Team Page to steal Microsoft account credentials.
- Distribute malicious Windows Shortcuts (LNK) files in ZIP archives and launch PowerShell code responsible for deploying Remcos Rat
- Do run the user on an IPF-hosted phishing page that steals the user’s email, using a lure that alerts the user that their mailbox is almost full and that they need to click the button embedded in the message to “clear storage.” Interestingly, the email also includes RAR archive attachments that, when extracted and executed, drop XWORM malware.
- Includes a URL that can be used as a PDF document. This includes another URL that drops a ZIP archive containing the executable file responsible for starting the car-based Lumma Stealer.
- To weaponize a legal front-end platform called Vercel, host fake sites that can propagate malicious versions of logmein and have full control over the victim’s machines
- Impersonate the US Automobile Division (DMV), send SMS messages about breach of unpaid tolls, and redirect recipients to a deceptive site that harvests personal information and credit card details
- Using SharePoint-themed emails, users will be redirected to the qualification harvest page hosted on *.sharePoint(.)com.
“Emails containing SharePoint links are less likely to be flagged as malicious or phishing by EDR or antivirus software. Users tend to believe that Microsoft links are inherently safe,” CyberProof said.
“Because phishing pages are hosted in SharePoint, they are often dynamic and accessible from a specific link for a limited time, making it difficult to detect automatic crawlers, scanners and sandboxes.”
