Cybersecurity experts have identified a new variant of the FileFix social engineering attack that uses a sophisticated technique known as cache smuggling to bypass traditional security software. This attack, which impersonates a “Fortinet VPN Compliance Checker,” was first discovered and reported by cybersecurity researcher P4nd3m1cb0y. The new method is an evolution of previous FileFix attacks, which were developed by security expert Mr.d0x. Unlike older variants that relied on tricking users into pasting malicious commands into operating system dialogs, this updated version uses the Windows File Explorer address bar to execute hidden PowerShell scripts without the user’s knowledge.
In this new phishing campaign, victims are directed to a deceptive webpage that displays a dialog box posing as a Fortinet VPN “Compliance Checker.” The page instructs users to copy and paste what appears to be a legitimate network path into their File Explorer. While the visible text shows a simple path like “\Public\Support\VPN\ForticlientCompliance.exe,” the actual text copied to the clipboard is much longer. It’s cleverly padded with over a hundred spaces to conceal a malicious PowerShell command after the legitimate-looking path. This padding ensures that when the victim pastes the command into the File Explorer address bar, only the benign-looking path is visible.
When the victim presses “Enter” on the keyboard, Windows executes the full, hidden PowerShell command. The script first creates a new folder on the victim’s computer and then copies the user’s browser cache files into it. The script then scans these files using regular expressions to locate and extract a ZIP archive that was hidden inside a fake image file. Once the ZIP archive is found, it’s extracted, and a malicious executable within it, named “FortiClientComplianceChecker.exe,” is launched to deploy the malware. All of this happens in the background, making it difficult for the user to detect.
The most clever part of this attack is the cache smuggling technique, which explains how the malicious file gets onto the computer in the first place without being detected. When the victim first visits the phishing page, the website runs a JavaScript command that causes the browser to fetch a seemingly legitimate image file. Although the HTTP response identifies the file as an “image/jpeg,” it is, in fact, the hidden ZIP archive. The browser, trusting the response, automatically caches the file as a legitimate image on the user’s local system. Since this caching happens before the PowerShell script is executed, the malicious file is already present on the victim’s computer, ready to be extracted by the PowerShell command.
This novel approach allows the malware to bypass many security products. As explained by cybersecurity researcher Marcus Hutchins, “Neither the webpage nor the PowerShell script explicitly download any files.” Instead, the browser itself is used to “smuggle” the malicious file onto the system by caching a fake image. Since the PowerShell command doesn’t need to make any web requests to download the file, and no files are being explicitly downloaded in the traditional sense, tools that scan for downloaded files or network activity from scripts will not flag the behavior. This makes the FileFix cache smuggling attack a highly effective and stealthy method for threat actors to infect systems, and it has already been adopted by various cybercriminal groups, including ransomware gangs.
Reference:
