ClickFix Attack Evolves: Hackers Replace PowerShell with Cmdkey and Regsvr32 for Stealthier Malware Delivery
Cybersecurity researchers have identified a new and more sophisticated variant of the ClickFix attack, which now leverages native Windows utilities—specifically `cmdkey` and `regsvr32`—to deliver malware stealthily. This evolution marks a significant shift from previous methods that primarily utilized PowerShell, thereby enhancing the attack’s ability to evade detection.
Understanding the ClickFix Attack
The ClickFix technique is a social engineering strategy that deceives users into executing malicious commands on their systems. Traditionally, attackers have employed fake CAPTCHA pages or error messages to prompt victims to paste and run commands via the Windows Run dialog, which would then invoke PowerShell to fetch and execute a payload. This method exploits human psychology, relying on users’ trust and compliance to initiate the attack.
The New Variant: A Shift in Tactics
In this latest iteration, attackers have abandoned PowerShell in favor of chaining native Windows tools—`cmdkey` and `regsvr32`—to silently deliver a remote payload without leaving traces on the disk. This approach complicates detection efforts, as it blends malicious activities with legitimate system processes.
Detailed Attack Chain
1. Initial Deception: The attack begins when a user visits a phishing page designed to mimic a legitimate CAPTCHA verification screen. The page instructs the user to open the Windows Run dialog (Win + R), paste a pre-loaded command, and press Enter.
2. Command Execution: The command executed is compact yet potent, performing two primary actions:
– Credential Storage: Utilizing the `cmdkey` utility, the command stores credentials for a remote IP address (e.g., 151.245.195[.]142) under the username guest.
– Payload Retrieval and Execution: The command then employs `regsvr32` to silently load a malicious DLL (`demo.dll`) from the attacker’s SMB share via a UNC path.
An embedded REM comment within the command reads I am not a robot, further disguising the malicious intent and making the process appear as a legitimate verification step.
Implications for Detection and Defense
This evolution in the ClickFix attack presents significant challenges for traditional detection mechanisms:
– Living off the Land Binaries (LOLBins): By leveraging trusted Windows utilities (`cmdkey` and `regsvr32`), the attack operates within the bounds of normal system behavior, making it difficult for security solutions to flag the activity as malicious.
– Fileless Execution: The attack does not drop any files onto the disk, reducing the likelihood of detection by antivirus programs that monitor for suspicious file activity.
– User-Driven Execution: The reliance on user actions to initiate the attack allows it to bypass many automated security measures, as the execution appears to be user-authorized.
Recommendations for Mitigation
To defend against this advanced ClickFix variant, organizations and individuals should consider the following measures:
1. User Education: Conduct regular training sessions to raise awareness about social engineering tactics, emphasizing the importance of verifying the authenticity of prompts requesting command execution.
2. Restricting Utility Usage: Implement policies that limit the use of native Windows utilities like `cmdkey` and `regsvr32` to essential functions, reducing the potential for misuse.
3. Behavioral Monitoring: Deploy advanced behavioral analysis tools capable of detecting anomalies in system processes and user activities, even when they involve legitimate utilities.
4. Network Controls: Monitor and control outbound network traffic to prevent unauthorized connections to external IP addresses, which could be indicative of command and control communications.
5. Regular Updates: Keep all systems and security solutions updated to ensure they can recognize and respond to the latest threats.
Conclusion
The adaptation of the ClickFix attack to utilize `cmdkey` and `regsvr32` underscores the continuous evolution of cyber threats and the need for proactive defense strategies. By understanding the mechanics of such attacks and implementing comprehensive security measures, organizations can better protect themselves against these sophisticated social engineering tactics.
