ClickFix Malware: Steganography, Fake Updates, and Info Stealers

The ClickFix Campaign

• 🎯 The ClickFix campaign is a malware delivery technique that relies on tricking users into copying and pasting malicious commands.
• ⚠️ This specific campaign is notable for its use of steganography to hide malicious payloads within benign PNG images.

Deceptive Lures

• 🤖 Two primary lures are used: a fake robot verification page and a convincing fake Windows Update screen.
• 🖼️ The Windows Update lure is particularly effective, making the browser full-screen, hiding the cursor, and presenting a realistic update sequence before instructing the user to run a command.
• 🖱️ This tactic exploits user trust and unfamiliarity with the ClickFix threat, leading them to execute commands they wouldn't otherwise.

Multi-Stage Attack Chain

• ⚙️ The attack begins with a user-initiated copy-paste of a hex-encoded command.
• 💻 This command launches mshta.exe, a legitimate Windows binary, which then downloads and executes further payloads in memory, avoiding disk detection.
• 📜 A PowerShell script decrypts and loads more code, leading to a .NET binary that contains the steganographically hidden image.
• 🎨 The malware extracts the malicious code from the PNG image using pixel data manipulation (e.g., XOR bitwise operations) and injects it into memory.

Info Stealer Payloads

• 💰 The ultimate goal is to deploy info stealers like LummaC2 and Rhadamanthys.
• 🔑 These stealers are offered as malware-as-a-service and are capable of capturing a wide range of credentials from browsers, email clients, and cryptocurrency wallets.
• 📋 LummaC2 has the ability to intercept clipboard data, specifically targeting cryptocurrency wallet addresses during transactions.

Defense Strategies

• 🎓 Security awareness training is crucial, educating users about ClickFix tactics and the dangers of running arbitrary commands.
• 🚫 Implementing stronger technical mitigations, such as blocking the Windows run box (Win+R) and restricting PowerShell execution via Group Policy, can significantly hinder these attacks.
• 🛡️ While sophisticated, these info stealers are not zero-day threats and are often delivered through phishing or opportunistic means, making user education and endpoint controls vital.