Windows File Explorer is Weaponized by the to Deliver Covert Commands
A cybersecurity researcher created FileFix, a variation of the ClickFix social engineering attack that uses Windows’ File Explorer URL bar to fool users into running malicious instructions.
Threat actors can use the File Explorer address bar in Windows to carry out commands on the victim’s PC with FileFix, a variant of the ClickFix social-engineering assault.
Mr. D0x, a cybersecurity researcher, found the new technology and showed how it could be applied to assaults that use basic social engineering tactics to target company employees.
Browser-based ClickFix attacks work by deceiving users into clicking on a button on a website that copies a command to the clipboard of Windows. To resolve a problem, users are then told to paste the command into PowerShell or another command prompt.
These kinds of attacks frequently pose as mistakes or captchas that stop users from accessing a website without first “fixing” the problem.
Example of a fake CAPTCHA in a ClickFix attack,
Source: SilentPush
The FileFix divergence
In a ClickFix attack, a malicious PowerShell command is immediately copied into the Windows clipboard when a user clicks a button on a website. The user is then instructed to paste the command into the command prompt using the Run Dialog (Win+R).
By having the target paste the command in the more recognizable Windows File Explorer user interface, Mr. D0x was able to accomplish the same objective.
The researcher created a very realistic scenario by combining File Explorer’s ability to run operating system commands with the browser’s file upload feature.
Although a phishing website is still used in FileFix assaults, the ploy is no longer disguised as an error or problem. Instead, it can show up as a notification telling the user that a file has been shared and asking them to paste the path into File Explorer to find it.
| “The phishing page includes an ‘Open File Explorer’ button that, when clicked, launches File Explorer through the file upload functionality and copies the PowerShell command to the clipboard” – mr.d0x |
However, by concatenating a phony file path inside a PowerShell comment, an attacker can conceal the malicious PowerShell operation while maintaining the deception.
This conceals the malicious PowerShell command that comes before it, allowing only the fictitious path to be initially seen in the File Explorer address field.
By adding the dummy file path as a comment after the PowerShell command, the malicious string is rendered invisible to the user and is executed by File Explorer, as seen in a video showcasing the new ClickFix variation.
The researcher thoroughly examined the FileFix approach to prevent users from inadvertently picking a file from the computer, as the attack necessitates a file upload button.
Mr. D0x included a few lines that prevent file upload action “by intercepting the file selection event and immediately clearing the input” in the proof-of-concept code for the phishing page.
If this occurs, an attacker may show a warning to users that they should try again since they did not follow the instructions.
ClickFix Campaigns
ClickFix assaults are so effective in infecting user systems with malware that they have been employed in ransomware attacks and even by state-sponsored organizations.
In one of their attacks, the North Korean state hacking collective “Kimsuky” employed ClickFix components. They used a PDF file to send targets to a phony device registration page that instructed them to start PowerShell as an administrator and paste code that the attacker had supplied.
Microsoft noticed a ClickFix campaign in which fraudsters used Booking.com as a spoof to infect hospitality workers with remote access trojans and infostealers.
The attack technique has also been modified for Linux, where a malicious webpage is visited, and a shell command is immediately copied to the clipboard. After that, the possible victim is instructed to launch a Run dialog and run the command.
Despite being a variation, FileFix demonstrates how such phishing assaults might be enhanced by moving command execution to a more user-friendly and familiar context.
Mr. D0x told News4Hackers that because his FileFix assault is easy to perform and makes use of a popular Windows tool, he thinks threat actors would quickly embrace it.
The researcher’s browser-in-the-browser phishing technique was previously swiftly adopted by hackers, demonstrating that malevolent actors are always eager to learn about new attack techniques.
Read More:
About Author
English