ClickFix is a deceptive delivery method exploiting user interactions and clipboard functionalities to initiate malware execution. This technique has gained popularity among cybercriminals for malware deployment, including credential theft. Vigilance against such tactics is crucial.
Affected: web users, enterprise platforms, malware victims
Affected: web users, enterprise platforms, malware victims
Keypoints :
- ClickFix uses deceptive web prompts and clipboard manipulation to execute malware.
- Commonly disguised as alerts or CAPTCHA challenges, prompting user interaction.
- Utilizes methods like mshta.exe, PowerShell, and JavaScript for malware delivery.
- Identified through structured queries in HuntSQLโข based on behavioral patterns.
- Can lead to malware execution and credential theft without traditional download methods.
MITRE Techniques :
- T1086: PowerShell โ Utilized to execute Base64-encoded commands silently.
- T1203: Exploitation for Client Execution โ Deceptively prompts for user actions to trigger payload execution.
- T1071: Application Layer Protocol โ Leveraged by embedding malicious scripts within familiar application prompts.
Indicator of Compromise :
- [Domain] soubtcevent[.]com
- [IP Address] 94.181.229[.]250
- [Domain] timestesol[.]com
- [Domain] securedmicrosoft365[.]com
- [Filename] verify1.exe
Full Story: https://hunt.io/blog/clickfix-pages-proactive-threat-hunting