ClickFix Malware: Hiding Malicious Code in Images with Steganography

Understanding the ClickFix Campaign

• 💡 ClickFix is a malware delivery technique that relies on tricking users into copying and pasting malicious commands.
• 🎯 This campaign, "ClickFix Gets Creative: Malware Buried in Images," uses a sophisticated evasion method: steganography to hide payloads within PNG images.
• ⚠️ The attack chain leverages native Windows executables like mshta.exe and PowerShell to download and execute payloads, making it difficult for traditional antivirus to detect.

Deceptive Lures Used in the Attack

• 🎭 Two primary lures are employed: a fake robot verification page and a more convincing fake Windows Update screen.
• 💻 The Windows Update lure is particularly effective as it takes over the user's browser in full-screen mode, hides the cursor, and displays a realistic-looking update sequence.
• 🖱️ Users are then instructed to press Ctrl+R or Win+R to open the Windows Run box and paste a malicious command, believing they are resolving an update issue.

The Multi-Stage Malware Execution Chain

• ⚙️ The execution begins when a user pastes the command, triggering mshta.exe to download and run a payload in memory.
• 🐍 This payload then downloads a PowerShell script, which decrypts and loads further code, moving through several stages.
• 🖼️ The final stage involves a .NET binary embedding a PNG image. Steganography is used here to extract the shellcode and malware from the image's pixel data using bitwise operations.

Capabilities of Info Stealers: LummaC2 and Rhadamanthys

• 💰 LummaC2 and Rhadamanthys are advanced info stealers, often available as malware-as-a-service on dark web forums.
• 💻 These stealers can capture a wide range of credentials from common browsers and applications, and search for cryptocurrency wallets and keys.
• 📋 LummaC2 has a notable capability to intercept clipboard information, specifically targeting crypto wallets and keys during transactions.
• ⚖️ Both LummaC2 and Rhadamanthys have recently been targets of law enforcement takedowns, though their infrastructure may be rebuilt.

Defending Against ClickFix Attacks

• 🎓 Security awareness training is crucial, specifically educating users about ClickFix techniques and the dangers of running arbitrary commands.
• 🚫 Implementing stronger technical mitigations, such as blocking the Windows Run box and restricting PowerShell execution via group policy, can significantly reduce risk.
• 🔍 While threat actors put significant effort into obfuscation and steganography, understanding these techniques helps in developing effective defenses.