Acronis TRU and VirusTotal collaborated to hunt and analyze three campaigns—FileFix (a ClickFix variant using clipboard-based web payload delivery), SideWinder (document-based attacks exploiting CVE-2017-0199 and CVE-2017-11882), and Shadow Vector (judicial-themed malicious SVGs targeting Colombia)—by combining Livehunt, Retrohunt, VT Diff, and metadata filtering to map infection chains and infrastructure. The investigations produced YARA/livehunt rules, IOC pivots (e.g., decoy RTF hash and multiple SVG hashes), and practical VT hunting techniques for detecting web-based and document-based threats. #FileFix #SideWinder
Keypoints
- Acronis TRU and VirusTotal collaborated to analyze web-based and document-based campaigns: FileFix (ClickFix variant), SideWinder, and Shadow Vector.
- FileFix uses clipboard manipulation (navigator.clipboard.writeText and document.execCommand(“copy”)) on malicious webpages to deliver PowerShell payloads that extract executables from images.
- SideWinder relies on document-based exploits (CVE-2017-0199, CVE-2017-11882) with geofencing and targeted delivery across South Asia; hunting used submitter country and file-type filters plus specific hex signatures and decoy hashes.
- Shadow Vector used judicial-themed SVG lures targeting Colombia, embedding external HTTPS links to payloads; investigators used SVG content indexing and VT Diff to cluster related samples and infrastructure.
- VirusTotal features central to the investigations: Livehunt (real-time YARA hunts), Retrohunt, VT Diff (compare samples), content searches, metadata filters (submitter country, tags), and file relations (itw_urls).
- Researchers balanced rule specificity and recall by maintaining multiple rule sets (broad and narrow), iteratively tuning to reduce false positives while surfacing new variants.
- Concrete artifacts and hunting patterns (e.g., decoy RTF SHA256, many SVG hashes, clipboard + atob/String.fromCharCode detection) enabled pivoting across URLs, images, and payloads to map complete attack chains.
MITRE Techniques
- [T1112 ] Modify Registry or Files – SideWinder and FileFix payloads use exploit chains and script-based payloads (PowerShell) to drop or execute binaries; example behavior: ‘the payload (a powershell command) downloads an image, and then runs a script that is embedded in the image file.’
- [T1059 ] Command and Scripting Interpreter – Attackers used PowerShell, cmd, mshta and similar commands to execute payloads: “‘powershell’, ‘mshta’, or ‘cmd’ … used to construct the malicious payload.”
- [T1190 ] Exploit Public-Facing Application – SideWinder used document exploits CVE-2017-0199 and CVE-2017-11882 to achieve code execution via malicious Office/RTF documents: “tag:CVE-2017-0199 and tag:CVE-2017-11882”.
- [T1204 ] User Execution – *Fix attacks trick users into running commands copied to the clipboard by the site; described as copying malicious commands into the victim’s clipboard for them to paste and run: “they copy a malicious command to the victims clipboard”.
- [T1598 ] Phishing for Information / Malicious Link – Shadow Vector used judicial-themed SVG lures embedding external links (HTTPS) that retrieve payloads: “embedded links to externally hosted payloads… href=’https://’”.
- [T1071 ] Application Layer Protocol – Payload delivery leveraged web hosting and HTTPS links to externally hosted payloads and images: “embedded links to externally hosted payloads… href=’https://’”.
- [T1222 ] File and Directory Discovery / Triage (reconnaissance by defenders) – Researchers used VT Diff, Livehunt, and Retrohunt to discover patterns and pivot across related samples and infrastructure: “VT Diff functionality to compare variations between samples and quickly spot patterns”.
Indicators of Compromise
- [SHA256 ] SideWinder decoy RTF – 1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a (empty RTF decoy used for pivoting).
- [SHA256 ] Shadow Vector SVG hashes – example hashes include 6d4a53da259c3c8c0903b1345efcf2fa0d50bc10c3c010a34f86263de466f5a1 and 2aae8e206dd068135b16ff87dfbb816053fc247a222aad0d34c9227e6ecf7b5b (and 12 more SVG hashes listed in rule samples).
- [Strings/HTML ] Clipboard and deobfuscation indicators in web pages – navigator.clipboard.writeText, document.execCommand(“copy”), String.fromCharCode, atob (used to identify FileFix/ClickFix pages).
- [File names/URLs ] Malicious image-hosting domains and image filenames – domains hosting images used by FileFix (examples pivoted via archived URL content; specific domain names were used in investigations) – example image-hosting filenames and domains found in payload commands (and additional related URLs discovered via itw_urls relations).
- [Email filenames ] Spear-phish email example – “54th CISM World Military Naval Pentathlon 2025 – Invitation.eml” tied to SideWinder initial infection vector and attachments.