A newly identified variant of the ClickFix attack has sparked significant alarm among cybersecurity researchers, as it signifies a shift from traditional delivery methods centered around PowerShell to a more discreet technique that employs native Windows utilities. This transition enhances the stealth of the attack, making it harder to detect and counteract.
The infection process begins with a tactic commonly associated with ClickFix: a phishing page designed to resemble a CAPTCHA verification prompt. Victims are misled into thinking they need to press the Windows key and R simultaneously, after which they are instructed to paste a specific command and execute it. This seemingly innocuous action inadvertently initiates a multi-stage attack chain without the need to download any visible executable files.
The command observed in this variant exploits cmd.exe to sequentially execute multiple operations. The first step involves the cmdkey utility, which is employed to store credentials for a remote system that the attacker controls. This technique was analyzed and documented by the CyberProof Threat Research Team, which has shed light on the evolving methods attackers are using to elude detection while employing “living-off-the-land” strategies.
Following the credential storage, regsvr32 is utilized to silently retrieve and execute a malicious DLL from a remote SMB share, using a UNC path. Notably, the command includes comment text that masquerades as a legitimate Cloudflare CAPTCHA verification string, further obscuring its true intent. This innovative approach allows attackers to efficiently combine credential staging, payload delivery, and execution into a single action initiated by the user, significantly diminishing visible indicators of compromise.
In a technical analysis of the operation, the retrieved payload—a 64-bit DLL named demo.dll—is executed via regsvr32 through its DllRegisterServer export function. Rather than manifesting overt malicious behavior, the DLL quietly establishes persistence by creating a scheduled task via CreateProcessA and schtasks.
A critical aspect of this attack is the method used for the scheduled task configuration. Instead of storing the task locally on the victim’s machine, the details are fetched from a remote XML file that resides on infrastructure controlled by the attacker. The task, labeled “RunNotepadNow,” is crafted to appear benign, integrating seamlessly into typical Windows functionality.
This design allows the attackers to modify the behavior of the second-stage payload whenever necessary, without needing to redeploy the initial DLL. Such modular architecture facilitates ongoing updates in the attack while keeping a minimal footprint on the infected system. The malware continues to establish communication with the attacker’s infrastructure, retrieving task definitions and secondary payloads at will. This dynamic structure enables long-term persistence and versatile execution, all while limiting forensic traces left on the host system.
At the time of analysis, the command-and-control server hosting the payload was offline. However, the architecture of the attack indicates a robust and flexible framework that can be reused in future campaigns.
The implications of this ClickFix variant are significant as it marks an evolution in the sophistication of cyberattacks. Key elements demonstrating this progression include the replacement of PowerShell and rundll32 with cmdkey and regsvr32, as well as the chaining of multiple native utilities into a cohesive execution flow. The attack relies entirely on trusted Windows binaries—often referred to as LOLBins (Living Off the Land Binaries)—which minimizes the physical artifacts typically associated with traditional malware delivery.
By aligning malicious activities with legitimate Windows behavior, attackers can capitalize on low-noise execution paths that are challenging for conventional security tools to detect. Despite its stealthy approach, certain detectable signals remain visible, including execution of cmd.exe with chained operators, usage of cmdkey directed at external or suspicious IP addresses, and the loading of DLLs from remote UNC paths.
As cybersecurity professionals, especially those within security teams, remain vigilant, they should prioritize monitoring these specific behaviors. This is particularly crucial in environments where user-driven execution via the Run dialog is uncommon, as it could indicate malicious activity.
The ongoing evolution of ClickFix techniques indicates a disturbing trend towards the misuse of native Windows utilities, especially when paired with social engineering tactics. As these methods mature, it becomes increasingly imperative for defenders to adapt their detection strategies to focus on behavioral patterns rather than solely relying on file-based indicators.
In conclusion, the emergence of this ClickFix variant serves as a critical reminder of the ever-evolving landscape of cybersecurity threats. The blend of social engineering and innovative delivery methods poses new challenges, necessitating an agile response from security professionals to effectively protect networks and sensitive information.