New FileFix Attack on Meta’s Name using Steganography to drop StealC Malware
FileFix Users are tricked into unintentionally installing the StealC infostealer virus by a recently found FileFix social engineering technique that mimics Meta account suspension notifications.
The ClickFix family of assaults includes a new form called FileFix, which uses social engineering techniques to fool users into typing harmful commands into operating system dialog boxes that appear to be “fixes” for issues.
Red team researcher Mr.d0x developed the FileFix approach, which exploits the address bar in File Explorer to run malicious PowerShell commands rather than tricking users into copying them into the Windows Run dialog or terminal.
The Interlock ransomware group has already used FileFix to deploy its remote access trojan (RAT); thus, this is not the first time it has been utilized in an assault. However, instead of developing it with fresh lures, these earlier attacks made use of the original FileFix proof-of-concept (PoC).
New FileFix campaign
Acronis uncovered the new effort, which uses a multilingual phishing page that impersonates Meta’s support staff and threatens to suspend the victims’ accounts in seven days unless they examine a “incident report” that Meta purportedly shared.
But in reality, this report is a disguised PowerShell command that infects targets’ devices with malware.
The phishing page instructs users to copy what looks to be a file path using the “Copy” button, click the “Open File Explorer” button, and then paste the path into the address bar of File Explorer to open the document.
But when you click the Copy button, a PowerShell command with extra spaces gets copied into the Windows clipboard, leaving only the file path visible when you paste it into File Explorer.
“In order to trick the user into thinking that they are pasting the path to a ‘incident report’ PDF file, the perpetrator has placed a variable at the end of the payload, which contains a lot of spaces and the fake path at the end,” Acronis says.
“This is done to ensure that the address bar displays only the file path and not any harmful commands. The # sign is used in place of a variable in a typical ClickFix attack, and PowerShell interprets this as a developer comment.”
“This has the unintentional advantage that anyone who has built their detections to look for the ‘#’ symbol from ClickFix is likely to miss this.”
FileFix attack impersonating Meta support
Source: Acronis
This FileFix campaign is notable because it uses steganography to conceal encrypted executables and a second-stage PowerShell script behind an apparently innocuous JPG file stored on Bitbucket.
Unbeknownst to the victim, the first-stage PowerShell command downloads the image and extracts the embedded secondary script, which is subsequently used to decrypt the payloads in memory.
Second PowerShell script embedded in the image
The StealC infostealer malware, the last payload, aims to steal the following information from compromised devices:
- Web browser login credentials and cookies (Chrome, Firefox, Opera, Tencent, etc.)
- Message app credentials (Discord, Telegram, Tox, and Pidgin)
- Wallets for cryptocurrencies, such as Bitcoin, Ethereum, Exodus, and others
- Cloud login information (AWS, Azure)
- VPN with gaming applications (Battle.net, Ubisoft, and ProtonVPN)
- The option to capture a screenshot of the desktop in use.
According to Acronis, within the course of two weeks, several variations of this campaign were noticed, utilizing various payloads, domains, and lures.
“Throughout our investigation, we’ve uncovered several iterations of the attack, going back two weeks,” Acronis said.
“Through these iterations, we can trace out an evolution of both the social engineering technique and the more technical aspects of the attack.”
“Perhaps this is indicative of an attacker testing out an infrastructure they are planning to use in the future, or perhaps these are iterations added to the attack mid campaign, as the attacker learns to adapt and improve.”
Even though the majority of businesses have trained their staff on phishing techniques, ClickFix, and FileFix techniques are still relatively new and constantly changing.
Businesses should inform their users about these new strategies and the dangers of transferring data from a website into seemingly innocuous system dialogs, advises Acronis.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
RaccoonO365 Phishing Network Stopped By Microsoft & Cloudflare Disrupting 338 Domains
About Author
English