Threat Research

Security Brief: ClickFix Social Engineering Technique Expands Threat Landscape

Proofpoint

Summary:

Proofpoint researchers have identified a rise in the ClickFix social engineering technique, which deceives users into executing malicious PowerShell commands by displaying fake error messages. This method has been observed across various threat actors and campaigns, leading to the distribution of multiple malware types.

Keypoints:

  • ClickFix is a social engineering technique that tricks users into running malicious PowerShell commands.
  • Initially observed in campaigns by TA571 and ClearFake, ClickFix has gained popularity among various threat actors.
  • The technique involves fake error messages that prompt users to copy and paste malicious scripts.
  • Threat actors have impersonated well-known software like Microsoft Word and Google Chrome to execute ClickFix attacks.
  • Recent campaigns have utilized a fake CAPTCHA to enhance the ClickFix technique.
  • Proofpoint identified multiple malware types associated with ClickFix, including AsyncRAT, Danabot, and Lumma Stealer.
  • ClickFix campaigns have targeted organizations globally, with notable incidents reported in Ukraine and Switzerland.
  • Organizations are encouraged to train users specifically on recognizing ClickFix techniques to prevent exploitation.

    • MITRE Techniques

  • Execution (T1059): Uses PowerShell to execute malicious scripts on compromised systems.
  • Command and Control (T1071): Utilizes various domains and URLs to maintain communication with compromised systems.
  • Credential Access (T1003): Targets user credentials through malware like Lumma Stealer and AsyncRAT.
  • Exploitation of Public-Facing Application (T1190): Exploits vulnerabilities in software to gain initial access.
  • Phishing (T1566): Employs social engineering tactics to deceive users into executing malicious commands.

    • IoC:

  • [domain] eemmbryequo[.]shop
  • [domain] reggwardssdqw[.]shop
  • [domain] relaxatinownio[.]shop
  • [domain] tendencctywop[.]shop
  • [domain] licenseodqwmqn[.]shop
  • [domain] keennylrwmqlw[.]shop
  • [domain] promptcraft[.]online
  • [url] hxxps://github-scanner[.]com/l6E.exe
  • [file hash] d9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590d
  • [file hash] d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
  • [ip address] 185[.]91[.]69[.]119
  • [url] hxxp://31[.]214[.]157[.]49/A6DxMijz_hdKR2Jol_PIMar1Q8[.]txt
  • [url] hxxp://178[.]215[.]224[.]252/v10/ukyh[.]php

    • Full Research: https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

    Tags: PHISHING, INITIAL ACCESS, SOCIAL ENGINEERING, CREDENTIAL, full