A intelligent malware deployment scheme first noticed in focused assaults final 12 months has now gone mainstream. In this rip-off, dubbed “ClickFix,” the customer to a hacked or malicious web site is requested to tell apart themselves from bots by urgent a mixture of keyboard keys that causes Microsoft Windows to obtain password-stealing malware.
Click onFix assaults mimic the “Verify You are a Human” exams that many web sites use to separate actual guests from content-scraping bots. This specific rip-off normally begins with a web site popup that appears one thing like this:
This malware assault pretends to be a CAPTCHA supposed to separate people from bots.
Clicking the “I’m not a robot” button generates a pop-up message asking the person to take three sequential steps to show their humanity.
Executing this sequence of keypresses prompts Windows to obtain password-stealing malware.
Step 1 entails concurrently urgent the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” immediate that can execute any specified program that’s already put in on the system.
Step 2 asks the person to press the “CTRL” key and the letter “V” on the similar time, which pastes malicious code from the location’s digital clipboard.
Step 3 — urgent the “Enter” key — causes Windows to obtain and launch malicious code by “mshta.exe,” a Windows program designed to run Microsoft HTML software recordsdata.
“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” Microsoft wrote in a weblog submit on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”
According to Microsoft, hospitality staff are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The firm stated attackers have been sending malicious emails impersonating Booking.com, usually referencing unfavorable visitor evaluations, requests from potential visitors, or on-line promotion alternatives — all in a bid to persuade individuals to step by certainly one of these Click onFix assaults.
In November 2024, KrebsOnSecurity reported that lots of of inns that use reserving.com had been topic to focused phishing assaults. Some of these lures labored, and allowed thieves to achieve management over reserving.com accounts. From there, they despatched out phishing messages asking for monetary data from individuals who’d simply booked journey by the corporate’s app.
Earlier this month, the safety agency Arctic Wolf warned about Click onFix assaults concentrating on individuals working within the healthcare sector. The firm stated these assaults leveraged malicious code stitched into the broadly used bodily remedy video website HEP2go that redirected guests to a Click onFix immediate.
An alert (PDF) launched in October 2024 by the U.S. Department of Health and Human Services warned that the Click onFix assault can take many varieties, together with pretend Google Chrome error pages and popups that spoof Facebook.
Click onFix tactic utilized by malicious web sites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.
The Click onFix assault — and its reliance on mshta.exe — is harking back to phishing methods employed for years that hid exploits inside Microsoft Office macros. Malicious macros turned such a standard malware menace that Microsoft was compelled to start out blocking macros by default in Office paperwork that attempt to obtain content material from the net.
Alas, the e-mail safety vendor Proofpoint has documented loads of Click onFix assaults through phishing emails that embrace HTML attachments spoofing Microsoft Office recordsdata. When opened, the attachment shows a picture of Microsoft Word doc with a pop-up error message directing customers to click on the “Solution” or “How to Fix” button.
HTML recordsdata containing Click onFix directions. Examples for attachments named “Report_” (on the left) and “scan_doc_” (on the correct). Image: Proofpoint.
Organizations that want to take action can reap the benefits of Microsoft Group Policy restrictions to forestall Windows from executing the “run” command when customers hit the Windows key and the “R” key concurrently.