ClickFix (Dropper) – Malware

Overview

The landscape of cyber threats continues to evolve with increasing sophistication, and one of the latest additions to this dangerous realm is the ClickFix malware. Discovered by cybersecurity researchers in mid-April 2024, ClickFix represents a novel approach in malware delivery, leveraging cunning social engineering tactics to deceive users into compromising their own systems. Unlike traditional malware distribution methods, ClickFix operates through a web-based attack vector, exploiting user trust and interface design to execute malicious code.

ClickFix initially appeared as a seemingly benign browser error message displayed on compromised websites. This message, which mimics legitimate system notifications, prompts users to open PowerShell with administrative privileges and paste a provided script. The script, designed to be executed in the PowerShell terminal, then facilitates the download and installation of additional malicious payloads. This approach not only exploits user trust but also bypasses conventional security measures, as the execution of malicious code is initiated directly by the user.

The malware campaign associated with ClickFix has been characterized by its use of iframe injections and fake error messages. These messages are engineered to appear as urgent system notifications, convincing users to follow the provided instructions without questioning their legitimacy. Once the script is executed, ClickFix can deploy a range of malicious payloads, including information stealers and remote access tools, thereby compromising the victim’s system and potentially leading to further security breaches.

Targets

Individuals.

How they operate

1. Delivery Mechanism: Fake Error Messages

The ClickFix malware campaign begins with the injection of a malicious iframe into compromised websites. This iframe presents the user with a convincing fake error message, often styled to resemble legitimate system or browser notifications. The error message typically claims that a critical update or system fix is required, prompting the user to take immediate action. The message instructs the user to open PowerShell with administrative privileges and paste a provided script. The trick lies in the authenticity of the error message, which is designed to appear as a genuine system alert, thus bypassing users’ natural skepticism.

2. Execution of Malicious PowerShell Scripts

Upon following the instructions in the fake error message, users are guided to execute a PowerShell script. The script is usually copied to the clipboard via browser-side JavaScript, which is often embedded in the malicious iframe. When the user pastes and runs the script in PowerShell, it triggers a chain of events leading to the execution of additional malicious payloads. The initial script typically performs several preliminary actions, including clearing clipboard contents, flushing DNS caches, and displaying misleading messages to cover its tracks.

3. Payload Delivery and Execution

The primary function of the initial PowerShell script is to download and execute subsequent payloads. This is achieved through a multi-stage process where the first script downloads additional scripts or executables from remote servers. These payloads are often packaged in ZIP files and can include various types of malware, such as information stealers, remote access tools (RATs), and cryptocurrency miners. For instance, one observed variant involved the download of Lumma Stealer, which subsequently downloaded and executed other malware, including Amadey Loader, XMRig cryptocurrency miner, and clipboard hijackers.

4. Evasion Techniques and Persistence

ClickFix employs several evasion techniques to avoid detection and ensure persistence. By leveraging legitimate tools like PowerShell, it bypasses many traditional antivirus and endpoint detection systems, which often struggle to inspect clipboard contents and dynamic script execution. Additionally, ClickFix scripts often include obfuscation and encoding methods, such as double-Base64 encoding, to further obscure their malicious intent. This complexity not only complicates detection efforts but also makes it challenging for users to recognize and counteract the threat before it’s too late.

5. Impact and Mitigation

The impact of ClickFix can be severe, leading to compromised systems, data theft, and further propagation of malware within the targeted network. Organizations and individuals are advised to implement robust security measures, including user training on recognizing social engineering attacks, employing advanced threat detection solutions, and maintaining updated security patches. Vigilance in monitoring network traffic and user activity can also help in early detection and response to such sophisticated attacks.

References

• From Clipboard to Compromise: A PowerShell Self-Pwn