Researchers have uncovered a malware delivery method dubbed “ClickFix,” which exploits user trust through compromised websites to deliver DakGate and Lumma Stealer malware variants. The ClickFix technique uses social engineering to trick users into executing malicious scripts, potentially leading to severe system compromise of affected systems.
These sites redirect visitors to domains hosting fake popup windows, which instruct users to paste a script into a PowerShell terminal.
ClickFix Social Engineering Infection Chain
After visitors are redirected from seemingly-legitimate sites, instructions are displayed to deceive them into pasting various base64-encoded commands into a PowerShell terminal. Researchers from McAfee Labs stated that these commands are designed to download and execute malware, from remote attacker-controlled C2 servers.
The ClickFix social engineering technique showcases a highly effective and technical method for malware deployment. Once the malware is active on the system, the malware typically includes steps to evade security detections such as clearing clipboard contents and running processes on minimized windows, maintain persistence on victim’s systems, and stealing users’ personal data to send to a command and control (C2) server.
The researchers have detailed the use of the ClickFix technique by the DarkGate and Lumma Stealer malware:
- DarkGate
DarkGate is a malware family that relies on the ClickFix technique. The DarkGate malware is distributed through phishing emails that contain HTML attachments masqueraded as MS Office Word document files. After a user accesses the attachment, the HTML file displays a “How to fix” button, that upon clicking displays base64-encoded commands which hide malicious PowerShell instructions.
Source: mcafee.com Upon running, the PowerShell commands downloads and executes an additional HTA file that contains additional malicious payloads. Once infected, the malware is capable of exfiltrating sensitive information and providing unauthorized remote access to threat actors.
- Lumma Stealer
Source: mcafee.com While the Lumma Stealer is distributed through similar use of the ClickFix technique, visitors are usually greeted directly with a webpage displaying error message such as supposed browser problems, and are apparently provided instructions to ‘fix’ the issue. These instructions trick users to similarly enter base64-encoded commands into a PowerShell terminal that run the Lumma Stealer malware upon execution. This allows the stealer to bypass traditional security measures while compromising affected systems.
Mitigations and Remediations
To protect against the ClickFix technique and malware such as DarkGate and Lumma stealer, the researchers have shared the following recommendations:
- Regular training to inform potential victims about about social engineering tactics or phishing campaigns.
- Use of antivirus software on system endpoints.
- Implementation of a robust email or website filtering system to block suspicious phishing mails, malicious attachments or malicious websites.
- Deployment of firewalls and intrusion detection/prevention systems (IDS/IPS) to block against malicious traffic on networks.
- Network segmentation to prevent the spread of malware within organizations.
- Monitoring of network logs and traffic
- Enforcement of the principle of least privilege (PoLP).
- Implementation of security policies or monitoring over clipboard content, particularly in sensitive environments.
- Implementation of multi-factor authentication (MFA).
- Update operating systems, software, and applications to the latest available patched versions.
- Encrypt stored data or data in transmission from potential unauthorized access.
- Regular and secure back up of important data
