"Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths," Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week. In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity.
As is typically the case with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog in order to complete a reCAPTCHA verification check on bogus phishing pages. The command initiates a multi-step process that involves using the "mshta.exe" binary to launch a PowerShell script that's responsible for downloading a .NET downloaded from MediaFire, a file hosting service.
FileFix is a variation on ClickFix, a newish type of social-engineering technique first spotted last year that tricks victims into running malware on their own devices using fake fixes and login prompts. These types of attacks have surged by 517 percent in the past six months, according to researchers at antivirus and internet security software vendor ESET, making them second most common attack vector behind phishing.
