Acronis TRU researchers documented an in-the-wild FileFix campaign that evolved from the FileFix proof-of-concept into a sophisticated, multilingual phishing operation using heavy JavaScript obfuscation, multistage PowerShell payloads, and steganography to hide a second-stage script and encrypted executables inside JPG images. The final payload is a Go-based loader that performs VM checks and decrypts shellcode to deploy the StealC infostealer, with C2 infrastructure including 77[.]90[.]153[.]225 and hosting on Bitbucket. #FileFix #StealC
Keypoints
- First recorded real-world FileFix campaign deviates from the original POC and uses a convincing Facebook-themed phishing site with multilingual support and anti-analysis JavaScript.
- Initial access leverages FileFix social engineering: victims are tricked into pasting a payload into a file upload address bar rather than a terminal or Run dialog.
- Primary delivery uses a heavily obfuscated PowerShell one-liner that downloads JPGs from Bitbucket containing embedded second-stage scripts and encrypted executable payloads via steganography.
- Second-stage PowerShell extracts, RC4-decrypts, and gzip-decompresses multiple payloads from image byte ranges, executing EXEs via conhost.exe and deleting them after execution.
- Final payload is a Go-written, obfuscated loader that performs VM/sandbox checks, decrypts shellcode in memory, and loads the StealC infostealer which targets browsers, wallets, messaging apps, and cloud credentials.
- Campaign shows rapid iteration over weeks (variants, different payloads, encrypted URLs, hosting moves to Bitbucket) and appears to target victims globally based on translations and VT submissions.
- Detection and mitigation recommendations include user education about clipboard-based lures and blocking PowerShell/CMD/MSHTA/MSIEXEC child processes spawned by web browsers; Acronis XDR already detects and blocks the attack stages.
MITRE Techniques
- [T1204] User Execution – Attackers trick victims into pasting and executing a malicious command in a file upload address bar (“…the user is tricked into pasting a malicious command into the File Explorer address bar…”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Initial payload is a heavily obfuscated PowerShell command that reconstructs and invokes Base64 content (“PowerShell -noP -W H -ep Bypass -C … $egs.Invoke($cf.Invoke(…))|iex;”).
- [T1105] Ingress Tool Transfer – Images and payloads are hosted on Bitbucket and downloaded by the PowerShell payload (“…using BitBucket to deliver the image used in the attack…”).
- [T1027] Obfuscated Files or Information – JavaScript on the phishing site and multiple payload stages are minified/obfuscated and use encrypted strings (“…script was minified — shrunk down into 12 or so lines from the approximately 18,000 lines…” and “Every string the loader runs is encrypted…”).
- [T1140] Deobfuscate/Decode Files or Information – Second-stage PowerShell decodes and decompresses embedded payloads (RC4 decryption and gzip decompression) from image byte ranges (“…extracts a second-stage PowerShell script and then uses both the script and the same image to decrypt and drop an executable…”).
- [T1005] Data from Local System – StealC collects local credentials and artifacts from browsers, wallets, messaging apps and cloud tools (“StealC attempts to steal information from…Chrome, FireFox…Azure and AWS keys.”).
- [T1218] Signed Binary Proxy Execution (conhost.exe) – Executable payloads are executed via conhost.exe before being deleted (“Each EXE file is executed via conhost.exe, and then deleted once 12 minutes have passed.”).
- [T1496] Resource Hijacking (steganography as covert channel) – Attack embeds scripts and encrypted executables inside JPG images to hide payloads (“…embedding both a second-stage PowerShell script and encrypted, executable payloads within seemingly harmless JPG images.”).
- [T1083] File and Directory Discovery – Loader and StealC enumerate installed applications, browsers and wallets to locate data for exfiltration (“StealC attempts to steal information from a long list of programs…”).
Indicators of Compromise
- [Hash] multi-stage payloads – example hash: 70AE293EB1C023D40A8A48D6109A1BF792E1877A… (one long hash listed), and additional hashes referenced.
- [IP] Command-and-control server – 77[.]90[.]153[.]225 (C2 observed linked to campaign, reported location Germany).
- [Domain] Phishing and hosting domains – facebook[.]meta-software-worldwide[.]com, facebook[.]windows-software-updates[.]com, elprogresofood[.]com and Bitbucket[.]org/pibejiloiza/ (used to host images/payloads and phishing pages).
- [Filename / Path] Fake file path used in address bar – “C:UsersDefaultDocumentsMetaFacebookSharedIncident_reported.pdf” (embedded in payload to hide commands in address bar).
- [URL] Image payload locations – hxxps://bitbucket[.]org/pibejiloiza/pi73/raw/…/pexels-willianmatiola-33593998-3[.]jpg (images downloaded by PowerShell containing embedded payloads).