InstallFix Malware Campaigns: Fake Claude Code Install Guides Spread Infostealers

Post Views: 153

New Social Engineering Tactic: InstallFix

A new social engineering tactic, dubbed InstallFix, has been discovered by researchers at Push Security. This technique leverages cloned installation guides for popular command-line interface (CLI) tools to trick users into executing malicious commands. The attackers’ primary goal is to install infostealers, which can compromise sensitive data, including cryptocurrency wallets and login credentials.

How the Attack Works

The researchers found that the InstallFix technique is being used to promote fake installation pages for Claude Code, a CLI coding assistant developed by Anthropic. The cloned page features the same layout, branding, and documentation as the legitimate source, but the installation instructions for macOS and Windows contain malicious commands that deliver malware from an attacker-controlled endpoint.

Malvertising Campaigns

The attackers are promoting these fake pages through malvertising campaigns on Google Ads, causing malicious ads to appear in search results for queries related to Claude Code installation. This tactic allows the attackers to reach a wider audience, including non-technical users who may be more vulnerable to social engineering attacks.

The Payload

According to Push Security’s analysis, the payload delivered through these InstallFix attacks is the Amatera Stealer, a piece of malware designed to steal sensitive data from compromised systems. The Amatera Stealer is a relatively new malware family, believed to be based on the ACR Stealer, which is sold as a subscription service to cybercriminals.

Evasion Techniques

The attackers’ use of legitimate platforms such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to host the malicious sites makes it more challenging for security tools to detect the attacks. Additionally, the malicious commands used in the InstallFix attacks are designed to evade detection by security software.

Prevention and Detection

To avoid falling victim to these attacks, users should ensure they obtain installation instructions from official websites and block or skip promoted Google Search results. Bookmarking software installation pages and verifying the authenticity of installation guides can also help prevent these types of attacks.

Push Security has published indicators of compromise, including the domains used to serve the cloned guides, host the malicious payloads, and deliver the InstallFix commands. These indicators can help security teams detect and prevent InstallFix attacks.

“The discovery of the InstallFix technique highlights the importance of being cautious when searching for software installation guides online. As social engineering tactics continue to evolve, it is essential for users to remain vigilant and take steps to protect themselves from these types of attacks.”