Full Report
ClickFix isn't just back—it's mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress' Tradecraft Tuesday threat briefings. [...]
Analysis Summary
# Threat Actor: Evolving Threat Actors utilizing ClickFix/FileFix Techniques (Implicitly New Grouping)
## Attribution & Identity
The article does not attribute the activity to a specific established threat actor group but details evolving techniques often associated with commodity malware distribution, specifically highlighting variants of the *ClickFix* and *FileFix* social engineering template. One specific attack observed involved techniques consistent with the distribution of **MetaStealer**.
Known Aliases/Associated Groups:
* **ClickFix** (Technique moniker/variant family)
* **FileFix** (Technique variant)
* Threat actors deploying the **MetaStealer** commodity infostealer.
* Threat actors deploying the **Cephalus** ransomware variant.
## Activity Summary
Huntress analysts observed increased threat activity over the past fifteen business days involving several distinct but related campaigns:
1. **MetaStealer Campaign:** An infection chain mimicking a *ClickFix* attack, starting with a fake AnyDesk installer lure. This evolved to use a fake Cloudflare verification page (Turnstile), leveraged Windows File Explorer, and deployed an MSI package disguised as a PDF to drop the **MetaStealer** infostealer.
2. **Cephalus Ransomware Incidents:** Two distinct incidents involved the **Cephalus** ransomware variant. These attacks utilized DLL sideloading against a legitimate SentinelOne executable, `SentinelBrowserNativeHost.exe`, to execute the payload.
3. **Historical ClickFix Activity:** The standard *ClickFix* technique continues to be prevalent, involving users tricking users into running malicious commands via the Windows Run dialog box, often utilizing CAPTCHA-based lures.
## Tactics, Techniques & Procedures
- **Social Engineering/Lures:** Use of CAPTCHA-based lures (like fake Cloudflare Turnstile verification) to trick users into executing malicious code.
- **Initial Execution (ClickFix Variant):** Asking victims to **copy and paste a command** into the Windows Run dialog box or, in *FileFix* variants, utilizing **Windows File Explorer**.
- **Evasive Deployment (MetaStealer Chain):** Using an **MSI package disguised as a PDF** file.
- **Information Gathering:** The MetaStealer deployment was observed to cleverly grab the victim's **hostname**.
- **Defense Evasion (Cephalus):** Employing **DLL Sideloading** using a legitimate vendor binary (`SentinelBrowserNativeHost.exe`).
- [No specific MITRE ATT&CK IDs provided in the text.]
## Targeting
- **Sectors:** The text implies broad targeting, given the commodity nature of MetaStealer and the use of common software lures (AnyDesk). Sectors are not explicitly limited.
- **Geography:** Not specified.
- **Victims:** Specific organizations were not named, though there were detection incidents involving **Cephalus ransomware**.
## Tools & Infrastructure
- **Malware families used:**
- **MetaStealer:** A commodity infostealer known since 2022.
- **Cephalus:** A ransomware variant.
- **Infrastructure (C2, domains, IPs):**
- One observed landing page associated with a ClickFix attack: `teams-one[.]com` (Defanged: `teams-one[.]com`)
## Implications
These attacks demonstrate a significant evolution in threat actor tradecraft, moving beyond basic command execution inherent in traditional *ClickFix* attacks. The combination of established social engineering (CAPTCHA lures) with technically advanced methods—such as embedding payloads in seemingly harmless files (MSI disguised as PDF) or utilizing legitimate software binaries for DLL hijacking—allows threat actors to maintain campaign success while potentially bypassing conventional endpoint detection focused on simpler execution paths.
## Mitigations
- **User Education:** Train users specifically on spotting CAPTCHA or verification lures (Cloudflare Turnstile) that prompt them to copy/paste commands into the Windows Run dialog box or redirect them to operations involving Windows File Explorer.
- **Traditional ClickFix Defense:** Continue to enforce policies to **disallow the use of the Windows Run dialog box** where it is not necessary for daily tasks (effective against classic ClickFix).
- **Defense Against Evasion:** Implement detection mechanisms targeting common evasion techniques like **DLL Sideloading**, particularly focusing on monitoring the execution chain originating from legitimate, signed executables like `SentinelBrowserNativeHost.exe`.
- **Process Monitoring:** Monitor unusual execution flows involving MSI packages deployed via unusual user interactions or file masking techniques.