Full Report
A newly discovered FileFix social engineering attack impersonates Meta account suspension warnings to trick users into unknowingly installing the StealC infostealer malware. [...]
Analysis Summary
# Tool/Technique: FileFix Attack (and StealC Malware)
## Overview
This summary details a new social engineering attack campaign utilizing the **FileFix** technique (an evolution of ClickFix) to trick users into executing malicious PowerShell commands via the Windows File Explorer address bar. The ultimate goal of this specific campaign is the deployment of the **StealC** information-stealing malware. The attack heavily leverages **steganography** to hide secondary payloads within image files.
## Technical Details
- Type: Technique/Framework (FileFix), Malware Family (StealC)
- Platform: Windows (Targeting File Explorer, PowerShell environment)
- Capabilities (FileFix): Abuses the File Explorer address bar to execute commands, using trailing spaces/variables instead of the traditional '#' symbol to evade detection.
- Capabilities (StealC): Steals browser credentials, messaging app credentials, cryptocurrency wallets, cloud credentials, and takes screenshots.
- First Seen: The specific FileFix campaign using steganography was observed evolving over two weeks prior to the report date (September 16, 2025).
## MITRE ATT&CK Mapping
This campaign combines execution techniques with delivery and credential access:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Steganography usage)
- **TA0007 - Credential Access**
- T1555 - Credentials from Password Stores (StealC function)
## Functionality
### Core Capabilities (FileFix Technique)
- **Social Engineering Lure:** Impersonates Meta support warnings about account suspension, directing users to open an "incident report."
- **Malicious Command Execution:** Tricks victims into copying a disguised PowerShell command and pasting it into the File Explorer address bar, which executes it.
- **Evasion Tactic:** Uses appended spaces or variables at the end of the copied payload, ensuring only a seemingly benign file path is visible in the address bar, thus bypassing defenses looking for the traditional ClickFix '#' comment symbol.
### Advanced Features (Campaign-Specific)
- **Steganographic Payload Hiding:** A crucial element where the secondary PowerShell script and encrypted executables are hidden within a seemingly harmless JPG image file hosted on Bitbucket.
- **Multi-Stage Execution:** The initial executed command downloads the steganographically hidden image, extracts the secondary script, which then decrypts and executes final payloads *in memory*.
- **StealC Payload:** The final payload focuses on comprehensive credential harvesting from various applications.
## Indicators of Compromise
*Note: Specific IoCs (hashes, IPs, domains) were not provided in the context, only artifacts related to the technique.*
- File Hashes: [Not disclosed in context]
- File Names: [Not consistently specified, related to an "incident report" lure]
- Registry Keys: [Not disclosed in context]
- Network Indicators: [Payloads hosted on Bitbucket initially; domains used varied across observed iterations]
- Behavioral Indicators:
- Copying sequences from a website into the File Explorer address bar.
- PowerShell scripts executing processes that interact with image files and memory decryption.
- StealC activity involving scraping browser data, messaging apps, and crypto wallets.
## Associated Threat Actors
- FileFix technique previously used by **Interlock ransomware gang**.
- The current campaign using FileFix with steganography is attributed to a distinct actor group testing evolving infrastructure.
## Detection Methods
- Signature-based detection: Likely bypassed by the evolving nature of the FileFix payload obfuscation (replacing '#' with spaces/variables).
- Behavioral detection: Crucial for detecting the sequence of copying data from a web source into system dialogs (File Explorer address bar execution).
- YARA rules: Could be designed to detect signatures of the StealC payload once it is in memory or signatures associated with common steganography encoding/decoding artifacts in network traffic or on disk (though executed in memory).
## Mitigation Strategies
- Education: Train users specifically about ClickFix/FileFix tactics, emphasizing the risks of pasting data copied from websites directly into system dialogs (like the Run box or File Explorer address bar).
- Application Control: Restrict the execution of PowerShell scripts where possible or monitor execution context, especially those interacting with external network sources immediately after address bar activity.
- Network Monitoring: Monitor for suspicious downloads from sources like Bitbucket that precede unusual process activity or memory manipulation.
## Related Tools/Techniques
- ClickFix: The predecessor family of attacks that FileFix evolved from.
- StealC: The final information stealer deployed.
- General Steganography Techniques used for malware delivery.