The websites of over 100 car dealerships were found serving malicious ClickFix code after a third-party domain was compromised in a supply chain attack. As part of the compromise, a threat actor infected LES Automotive, a shared video service unique to dealerships, so that websites using the service would serve a ClickFix webpage to their visitors.
A ClickFix attack relies on malicious code on a webpage to display a prompt to the user, asking them to fix an error or perform a reCAPTCHA challenge, to prove they are human. When the user clicks on the prompt, a malicious command is copied to the clipboard, and the user is also instructed to perform keyboard combinations that open the Windows Run prompt, paste the copied command into the prompt, and execute it.[1]
The social engineering technique has been used for a couple of years but started gaining popularity among cybercriminals and APTs last year, with a surge in adoption observed over the past several months.
In October 2024, HHS warned of Russian-speaking cybercriminals using the ClickFix technique in their attacks since at least April 2024. ClickFix has been used to spread information stealers and other types of malware to users across various sectors. Recently, Microsoft warned of a widespread campaign targeting the hospitality industry.
As security researcher Randy McEoin warned, visitors of the websites of more than 100 auto dealerships using LES Automotive were targeted in a ClickFix campaign distributing the SectopRAT malware.
The attack was using the fake reCAPTCHA variation of ClickFix, relying on PowerShell commands to deploy payloads on the victim’s machine, and ultimately infect them with the remote access trojan.
The JavaScript code designed to copy the malicious code to the clipboard, McEoin discovered, contained at least one comment in Russian. Users, he notes, would often be served a benign version of the script, which suggests that the injection was likely performed dynamically.
SectopRAT is a sophisticated piece of malware designed to provide attackers with remote access to the infected systems. This remote access trojan (RAT) enables cybercriminals to take control of the victim’s machine, potentially leading to data theft, further malware deployment, or even complete system compromise. The use of PowerShell commands to deploy the payloads makes it particularly dangerous, as it can bypass traditional security measures and remain undetected for extended periods.
Related Article: https://redskyalliance.org/xindustry/booking-com-and-clickfix
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.securityweek.com/100-car-dealerships-hit-by-supply-chain-attack/
Comments