ClickFix Malware Tricks Users into Mapping Hacker-Controlled Drives

Post Views: 13

New ClickFix Scam Utilizes Stealthy Tactics to Load Malware on Windows Devices

A newly discovered ClickFix scam is duping Windows users into executing hidden commands that map hacker-controlled drives and load malware through trusted applications. This sophisticated attack, identified by cybersecurity researchers at Atos, poses a significant threat due to its ability to evade detection by leveraging native Windows tools.

The Scam Begins

The scam begins on compromised websites, such as `happyglamper.ro`, which presents visitors with a fake Captcha prompt. However, instead of completing the traditional Captcha challenge, users are instructed to press the Windows key + R, followed by Ctrl + V, and then Enter. Unbeknownst to the user, this sequence of keystrokes executes a hidden command that has been silently copied to the clipboard.

Malware Execution

Researchers have found that this attack utilizes the standard Windows `net use` command to establish a connection to a remote server, masquerading as a harmless connection to a network drive. Once the connection is established, the attackers have manipulated a trusted application by replacing a hidden file, known as an `asar` archive, with their own malicious code.

Malware Behavior

As a result, the malware gains high-level access to the system, allowing it to execute actions with the full privileges of the logged-in user. Notably, the malicious code runs in the Node.js main process, bypassing security sandboxes that typically prevent apps from accessing sensitive files. The malware generates a unique Victim ID and saves it to a file called `id.txt`, before establishing communication with a hacker-controlled server at `cloudflare.report` every two seconds.

Security Community Response

The security community has taken notice of this threat, with cloud security expert and Microsoft MVP Steven Lim warning about the Cloudflare Win + R variant. Lim has identified several other domains linked to this campaign, including `modacontractors.uk`, `itexe.pl`, and a spoofed `static.cloudflareinsights.com`, urging defenders to block them immediately.

Discovery and Prevention

Atos researchers discovered the scam by analyzing the RunMRU registry key, which records every command typed into the Windows Run box. This registry footprint was the only evidence of the attack, highlighting the need for increased caution when executing commands on Windows devices.

The use of native Windows tools in this scam underscores the importance of vigilance when interacting with unfamiliar websites and prompts. As attackers continue to evolve their tactics, it is crucial for users to remain aware of the potential risks associated with executing unknown commands on their devices.