A recently identified social engineering campaign, dubbed FileFix, has been exploiting unsuspecting users by impersonating official Meta account suspension warnings. This method, a variation of the ClickFix family of attacks, cleverly manipulates users into executing malicious commands under the guise of simple “fixes.” The attack’s creator, red team researcher mr.d0x, designed it to abuse the File Explorer’s address bar, a novel approach that allows it to bypass security measures designed to detect traditional PowerShell command-line attacks. While FileFix has been used before—notably by the Interlock ransomware gang—this new campaign, discovered by Acronis, has evolved with new and more sophisticated lures.
This latest campaign uses a multi-language phishing page that mimics Meta’s support team. It warns users that their account is at risk of being disabled and directs them to view an “incident report.” However, the supposed report is actually a cleverly hidden malicious command. The phishing page instructs users to copy a “file path” and paste it into the File Explorer address bar. What the user doesn’t realize is that the “Copy” button places a much longer PowerShell command, filled with spaces, into their clipboard. When pasted, only the fake file path is visible in the address bar, hiding the true nature of the command and deceiving the user into running it.
Acronis notes that this technique is particularly insidious because it subverts typical detection methods. By using a variable with a large number of spaces instead of the traditional “#” symbol used in other ClickFix attacks, the malicious code remains hidden from view. This simple change allows the attack to bypass security tools that are specifically designed to look for the telltale hashtag. The sophistication doesn’t end there; this particular FileFix campaign also employs steganography—the practice of concealing a file within another file. It hides a second-stage PowerShell script and encrypted executables within a seemingly harmless JPG image.
Once the victim unknowingly executes the first-stage PowerShell command, it downloads the malicious image from Bitbucket. The embedded script is then extracted and used to decrypt the hidden payloads directly in the device’s memory. This multi-layered approach makes the attack harder to detect and analyze. The payloads, once decrypted, include the StealC infostealer malware, which is designed to siphon sensitive data from the infected device. The campaign is a stark reminder of how social engineering tactics continue to evolve, using increasingly creative technical tricks to deceive users and bypass traditional security defenses.
This campaign is a clear example of the constant cat-and-mouse game between attackers and cybersecurity professionals. The attackers’ use of File Explorer, clipboard manipulation, and steganography demonstrates a high level of technical proficiency and a deep understanding of user behavior. It highlights the need for both users and security solutions to be aware of these new and evolving threats. Staying vigilant and recognizing the signs of phishing attacks, even when they appear to be from trusted sources like Meta, is crucial for protecting personal data and preventing malware infections.
Reference:
