Threat groups are increasingly adopting a social engineering technique dubbed ClickFix to trick users into copying malicious PowerShell code and executing it themselves. Despite requiring more user interaction to succeed, the tactic has been adopted by several threat groups in recent months, suggesting it is reasonably effective at evading detection compared to relying on automated payload delivery mechanisms.Researchers from security firm Proofpoint initially observed this method being used as early as March by a threat group tracked as TA571, which acts as an initial access broker in the cybercriminal ecosystem. The company dubbed the technique ClickFix because its lure involved fake browser error dialogs with instructions on how to fix the issue.The instructions require users to click a button to copy the “fix” and then paste it in the Windows Run dialog, which can be opened by pressing the Windows key+R, or in the PowerShell terminal.Since then, multiple variations of this technique have been observed, with the fake errors impersonating Microsoft Word and even specialized transportation and logistics software used in certain sectors. This suggests the threat actors using this technique are first studying their target environments to determine what software employees might be using.”Notably, threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a ‘Verify You Are Human’ (CAPTCHA) check,” the researchers wrote in a new report this week. “Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for ‘educational purposes.’” The original ClickFix fake errors were displayed via the browser after victims were tricked into visiting compromised websites. Newer iterations, however, are being sent directly via email as well.For example, in one case users received a phishing email with the subject “Important Software Update: Action Required” that included encoded PowerShell code and instructions on how to execute it directly in the email message itself. The malicious code was designed to download the 7zip archive manager along with a password-protected .7z archive that contained a variant of the NetSupport remote access trojan.In another campaign, phishing emails with themes such as budget, finance, invoice, and shipping, among others, contained HTML attachments that when opened displayed fake Microsoft Word errors which instructed users to execute PowerShell code to fix the issue. The campaign deployed Brute Ratel C4 and Latrodectus malware, the latter of which has become a new favorite of initial access brokers.
Combining ClickFix with reCAPTCHA Phish
In September, an email campaign that impersonated the GitHub Security Team warned recipients about vulnerabilities being detected in their repositories. Victims were sent to a fake GitHub page that asked users to pass a CAPTCHA verification test by pressing the Windows key+R and then CTRL+V and Enter.This pasted a piece of malicious PowerShell in the Run dialog that ended with normal text reading reCAPTCHA Verification ID followed by a number. This fake reCAPTCHA text is the only part the user would see when pasting because the Run dialog box has limited visible space. The malicious code was designed to deploy a variant of the Lumma information stealer, which is also being used in a malicious free AI app download operation.In a separate ClickFix campaign, users were targeted with a phishing email impersonating Swiss e-commerce marketplace Ricardo that directed users to a fake website that used the same reCAPTCHA Phish toolkit in combination with the ClickFix technique. The malicious code in this case triggered a more complicated attack chain that resulted in the installation of AsyncRAT or PureLog Stealer. AsyncRAT was used extensively throughout 2023 to target key US infrastructure employees.In October, researchers detected another ClickFix campaign that used a ChatGPT-based lure promising users access to a prompt generator service. The rogue website encouraged users to join a ChatGPT community, but used the reCAPTCHA phish tool and ClickFix clipboard payload to trick users into executing malicious code. This campaign deployed the XWorm malware, which has also been used recently in phishing attacks involving malicious virtual hard drives.Even cyber-espionage groups seem to have adopted the ClickFix technique. Toward the end of October, an APT group tracked as UAC-0050 that has a history of targeting organizations from Ukraine launched a phishing campaign in Ukrainian that used fake notifications about shared documents to direct users to an attacker-controlled website. The website used the combination of reCAPTCHA Phish and ClickFix to trick users into running PowerShell as part of a CAPTCHA challenge. The code deployed a rarely used information stealer dubbed Lucky Volunteer.
Mitigation
Installed on Windows by default, PowerShell is a very powerful scripting language and environment designed to simplify and automate system administration tasks. Because of its wide adoption in malware attacks over the past 10 years, security products monitor for potentially malicious PowerShell invocations.However, they often look for instances where PowerShell scripts are being executed by other processes, because that’s how PowerShell is typically abused, as part of a larger attack chain, such as being launched by malicious Microsoft Word macros, or a malware dropper downloading and executing a malicious PowerShell script to deploy additional payloads.With ClickFix, the user invokes PowerShell manually and directly. Because PowerShell has legitimate uses, this behavior is not necessarily suspicious.”What’s insidious about this technique is the adversaries are preying on people’s innate desire to be helpful and independent,” the researchers wrote. “By providing what appears to be both a problem and a solution, people feel empowered to ‘fix’ the issue themselves without needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect themselves.”One defense against PowerShell attacks is to disable the feature completely on employee machines, but this could break administrative tasks, so most organizations avoid doing so. Instead, Microsoft advises limiting access to PowerShell only to authorized users and administrators. This can be done by enabling Device Guard or Windows Defender Application Control policies.Microsoft also recommends implementing Just Enough Administration (JEA), a PowerShell technology that allows limiting the power of accounts by using the principles of least privilege and limiting their access only to the PowerShell commands they need to get their job done.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3610611/rising-clickfix-malware-distribution-trick-puts-powershell-it-policies-on-notice.html
