A cybersecurity researcher has developed FileFix, a new social engineering attack that is now being called FileFix. It is a unique variant of the ClickFix attack that tricks users into executing some malicious commands on their systems. These commands are cleverly executed through the File Explorer address bar in the Microsoft Windows operating system. The new method was discovered by a researcher and could be used in attacks targeting unsuspecting company employees. This technique circumvents many security awareness training programs that focus primarily on recognizing traditional Run Dialog-based attacks.
FileFix attacks begin with a very convincing phishing webpage that has been designed to mimic legitimate file-sharing services. The page includes an “Open File Explorer” button that copies the malicious PowerShell command to the user’s clipboard. Users are then instructed to paste what they believe is just a simple file path into the File Explorer address bar. A key aspect of this specific attack involves command obfuscation, which hides the actual script from the unsuspecting user. The malicious PowerShell command is hidden by concatenating a dummy file path within a special PowerShell comment. This causes only the fake path to be initially seen, making the malicious command completely invisible to the victims.
This new attack method exploits Windows File Explorer’s ability to execute commands directly from its well-known address bar.
This is a legitimate Windows feature that many ordinary computer users are completely unaware even exists on their systems. Researchers have also identified a secondary variation that involves downloading and then executing a separate malicious executable file. This particular variation leverages the fact that programs run this way can have their Mark of the Web attribute removed. This could potentially bypass certain security controls that rely on the Mark of the Web for modern threat detection.
The original ClickFix attacks have proven to be a very efficient method to deploy malware on user systems. North Korean state hacker group ‘Kimsuky’ has included ClickFix elements in one of their recent malware campaigns. In another campaign, cybercriminals impersonated Booking.com to deliver infostealers and remote access trojans to hospitality workers. The emergence of FileFix demonstrates how threat actors continuously adapt their techniques to bypass existing security measures. Experts now recommend monitoring for suspicious child processes that are being spawned by the different web browsers. Organizations should also update their security awareness training to include these new File Explorer-based attack vectors.
Reference:
