ClickFix is a social engineering technique exploiting end users by disguising malicious PowerShell commands as routine verification prompts, enabling threat actors to gain network access and exfiltrate data. Since March 2024, various threat actors including APT28 and MuddyWater have leveraged this method to target multiple industries globally. #ClickFix #APT28 #MuddyWater
Keypoints
- ClickFix uses deceptive social engineering tactics such as fake error messages or CAPTCHA prompts to trick users into executing malicious PowerShell commands.
- Threat actors involved include individual cybercriminals and APT groups like APT28 (Russia) and MuddyWater (Iran).
- Targeted industries span healthcare, hospitality, automotive, and government sectors.
- Initial access methods include spear phishing, drive-by compromises, and delivering payloads via trusted platforms like GitHub.
- Malicious PowerShell commands establish command and control (C2) communication, followed by lateral movement and data exfiltration.
- Malware families commonly deployed include XWorm, Lumma, and AsyncRAT.
- Darktrace detected multiple ClickFix attacks, using anomaly-based detection and Autonomous Response to contain threats effectively when enabled.
MITRE Techniques
- [T1566.002] Spearphishing Link – Used to deliver malicious payloads through deceptive emails or links. (“phishing emails or fake CAPTCHA prompts that led users to execute malicious PowerShell commands”)
- [T1189] Drive-by Compromise – Actors exploited trust in legitimate platforms and websites to redirect users to malicious URLs. (“redirect the end user to a malicious URL”)
- [T1059.001] PowerShell – Attackers executed malicious PowerShell commands to gain access and establish C2 communication. (“execution of malicious PowerShell commands”, “use of a new PowerShell user agent”)
- [T1210] Exploitation of Remote Services – Downloaded numeric-named malicious files to further exploit remote services and gather information. (“contained additional malicious code designed to further exploit remote services”)
- [T1071.001] Web Protocols – Used HTTP communications for C2 traffic and data exfiltration. (“command and control communication within the targeted environment”, “HTTP POST request”)
- [T1020.001] Automated Exfiltration – Exfiltrated system and device information via HTTP POST to C2 servers. (“data exfiltration involving system and device information to the same command-and-control (C2) endpoint”)
Indicators of Compromise
- [IP addresses] Command and control servers and infrastructure – 193.36.38[.]237, 188.34.195[.]44, 138.199.156[.]22, and several others linked to ClickFix activity.
- [Hostnames] Malicious C2 infrastructure and compromised websites – rkuagqnmnypetvf[.]top, diagnostics.medgenome[.]com.
- [URIs] Numeric and suspicious file names used during attacks – /1744205200, /init1234, /1741714208, and multiple other numeric strings indicating malicious files.
- [File Hashes] Malicious files detected – SHA-256: 34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044, SHA-1: 10a5eab3eef36e75bd3139fe3a3c760f54be33e3.
- [URLs] Potential C2 infrastructure – shorturl[.]at/UB6E6, tlgrm-redirect[.]icu.
Views: 37