ClickFix is a social engineering attack technique that tricks users into executing malicious PowerShell commands through fake verification prompts, enabling threat actors to establish command and control and exfiltrate sensitive data. Darktrace has demonstrated effective detection and response capabilities against ClickFix attacks, including autonomous blocking of malicious activities. #ClickFix #APT28 #MuddyWater #Darktrace
Keypoints
- ClickFix exploits human error by using deceptive prompts such as fake CAPTCHA or “Fix It” messages to lead users into running malicious PowerShell commands.
- The technique has been observed since March 2024 and is employed by various threat actors including APT28 and MuddyWater targeting multiple industries worldwide.
- Attackers gain initial access through spear phishing, drive-by compromises, or exploiting trust in platforms like GitHub to deliver payloads like XWorm, Lumma, and AsyncRAT.
- Once executed, malicious scripts communicate with C2 servers, such as 193.36.38[.]237 and 188.34.195[.]44, to perform system reconnaissance, lateral movement, and data exfiltration.
- Darktrace detected ClickFix attacks by identifying unusual PowerShell user agents, numeric file downloads, and HTTP communications indicative of C2 activity and data exfiltration.
- Darktrace’s Autonomous Response can automatically block malicious connections and quarantine affected devices, effectively containing attacks in real time.
- The approach relies on anomaly detection and learning normal device behavior, enabling detection without prior knowledge of specific IOCs or attack patterns.
MITRE Techniques
- [T1566.002] Spearphishing Link – Initial access is gained through targeted phishing emails with malicious links leading to ClickFix baiting. (‘spear phishing attacks’)
- [T1189] Drive-by Compromise – Attackers exploit trusted websites and online platforms to deliver malicious payloads via drive-by downloads. (‘drive-by compromises’)
- [T1059.001] PowerShell – Execution of malicious PowerShell commands by tricking users to run them via fake verification prompts. (‘malicious PowerShell commands’)
- [T1210] Exploitation of Remote Services – Downloaded malicious scripts further exploit remote services and gather system information for lateral movement. (‘script that sent system information to a specified IP address’)
- [T1071.001] Web Protocols – Command and control communications use HTTP/S protocols observed in connections between compromised devices and malicious IPs. (‘HTTP connection with new PowerShell user agent’)
- [T1020] Automated Exfiltration – Sensitive data is exfiltrated automatically through HTTP POST requests to C2 servers. (‘data exfiltration involving system and device information’)
Indicators of Compromise
- [IP Addresses] Command and control servers and malicious endpoints – 193.36.38[.]237, 188.34.195[.]44, 138.199.156[.]22, 141.193.213[.]11
- [Hostnames] Potential C2 servers and compromised sites – rkuagqnmnypetvf[.]top, diagnostics.medgenome[.]com
- [File Hashes] Malicious files associated with payloads – 34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044 (SHA-256), 10a5eab3eef36e75bd3139fe3a3c760f54be33e3 (SHA-1)
- [URIs] Numeric and suspicious files used in lateral movement and exfiltration – /1744205200, /init1234, /1741714208, /1.txt