A new spin on the ClickFix attack is making the rounds, and it is designed to circumvent some of the strategies organizations have for mitigating them. ClickFix and its slightly more elegant offshoot, FileFix, are notorious for being almost inexplicably manipulative. Attackers persuade victims to run commands on their computers that they never otherwise would and may never have before. Now there's a new variant, deemed "JackFix," that gives more logical context to those strange actions victims are made to perform. JackFix ratchets up the psychological trickery to 100, with an anxiety-inducing phishing lure and an old-fashioned screen lock. And it has a few simple technical tricks for duping security solutions, too.[1]
The result: hundreds of reports of JackFix have been pouring into VirusTotal "much higher than other [ClickFix] campaigns we've seen recently," reports Acronis senior security researcher Eliad Kimhy. Those reports have largely been concentrated in the US but also span across Europe.
In the traditional ClickFix attack, victims are presented with some kind of fake technical issue. This does give context to the task they have to fulfill copying and pasting code they don't understand into the Windows Run dialog, but it does not necessarily get your heart racing. To really capture victims' attention and help them forget their better instincts, the seemingly Russian-speaking cybercriminals behind JackFix pulled from the old hacker playbook.
See: See: https://redskyalliance.org/xindustry/clickfix-attack-storm-1865-1
Through malvertising or some other means of phishing, victims are attracted to fake versions of popular pornography sites, then as soon as they interact with the page, they're hit with a Windows blue screen. The screen is fake, but it does a solid job of recreating a real critical Windows update. It consumes the entire screen and includes both a fake progress counter and the loading animation of dots traveling in a circle. Certain keyboard shortcuts are also blocked to prevent users from escaping.
For Kimhy, it recalls those sweat-inducing ransomware attacks of old. "Back in the early days of ransomware, attackers had figured out there is no need to completely ransom a computer's files, when you could just lock the screen and try to convince the victim to send you money," he wrote. A panicked user may be more likely to perform actions they're not used to like running malicious commands in the Run dialog and the format can be taken in any number of creative directions, Kimhy noted, which "may turn out to be far more compelling and flexible than a traditional ClickFix attack."
Even if the human victim of a ClickFix attack gets wrapped up in the ruse, there are plenty of ways security programs can pick up the slack. For instance, in a typical ClickFix attack, a website copies malicious code to the user's clipboard, then instructs them on how to run it. In theory, string or pattern-based rules might catch the scripts that handle copying to the clipboard, and the known malicious actions that the victim runs on their machine. So JackFix encodes into an array both the Javascript used for copying to the clipboard, and the malicious commands the user is supposed to run, and only reconstructs them at runtime, in memory.
Or say a victim runs an attacker's code in the Run dialog, and the code invokes a URL, where some malware lies. Any number of network security protections might detect traffic to a known malicious URL and block it. To solve this, JackFix's URL performs content-based filtering, splitting incoming traffic into two groups. If a visitor reaches the site directly, it automatically redirects them to a benign website, like Google or Steam. Only when the site is reached through the JackFix attack flow does it reveal its true nature and serve malware. This makes the site more difficult to analyze and less likely to be tagged by threat intelligence tools, and thus it largely avoids being flagged as malicious by programs that see it along the attack chain.
The Powershell script downloaded from that URL is large and heavily obfuscated, with dead code and random variable names designed to defeat static analysis. It then prompts the user to grant it administrative privileges and continues to pester them until they accept. After granting itself a variety of exclusions in Microsoft Defender, the script recruits a flurry of up to eight separate commercial malware samples. These include some of the most popular infostealers in the cyber underground Rhadamanthys, Vidar 2.0, RedLine, and Amadey plus a series of loaders. Acronis characterized it as "the most egregious example of spray and pray we've ever seen."
In the end, there are ClickFix mitigations that JackFix doesn't address. For example, organizations can address all ClickFix variants by simply disabling Windows Run for certain employees that don't need it, using Group Policy settings. Or, Kimhy adds, "if the organization can do anything to limit the browser's ability to make a page full screen, that could take a lot of stings out of this attack."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/threat-intelligence/jackfix-attack-clickfix-mitigations
Comments