FileFix Attack Evades Security with Cache Smuggling
▼ Summary
– A new FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive by disguising it as a cached image file, bypassing security software.
– The attack impersonates a Fortinet VPN Compliance Checker and tricks users into pasting a padded command into Windows File Explorer that executes a hidden PowerShell script.
– The PowerShell script extracts a malicious ZIP file from Chrome’s cache, which was previously stored there when the browser retrieved a fake image from the phishing page.
– A new ClickFix kit called “IUAM ClickFix Generator” automates the creation of similar social engineering lures, customizing them for different operating systems and fake services like Cloudflare or Microsoft.
– These attacks are being adopted by ransomware gangs and other threat actors to deploy infostealer malware, emphasizing the need to avoid copying and executing commands from untrusted websites.
A sophisticated new version of the FileFix social engineering attack now employs a clever method known as cache smuggling to secretly deliver harmful files while completely avoiding detection by security tools. This phishing campaign cleverly disguises itself as a “Fortinet VPN Compliance Checker,” tricking users into unknowingly executing a hidden PowerShell command through the Windows File Explorer address bar.
Cybersecurity researchers have provided a detailed breakdown of this deceptive operation. Unlike earlier ClickFix attacks that manipulated users into pasting malicious code into system dialogs, this updated FileFix method displays what appears to be a harmless network path. However, the text copied to the clipboard is actually a lengthy string padded with over a hundred spaces, cleverly concealing a dangerous PowerShell script.
When an unsuspecting person pastes this text into File Explorer and presses Enter, Windows quietly runs the hidden command. This script performs several actions in the background. It first creates a specific folder on the local system, then copies Google Chrome’s browser cache files into this new location. The PowerShell code then carefully scans these cached files, searching for hidden data markers that identify a smuggled ZIP archive disguised as an image file.
The extracted archive contains a malicious executable named FortiClientComplianceChecker.exe, which proceeds to run harmful code on the victim’s device. The initial delivery of this malicious file occurs through what experts call cache smuggling. When the user first visits the phishing page, embedded JavaScript instructs their browser to fetch what seems to be a standard JPEG image. The browser automatically stores this “image” in its cache, completely unaware that the file actually contains hidden malware components.
This smuggling technique provides significant evasion advantages. Since neither the webpage nor the PowerShell script directly downloads any files, security products that monitor downloads or scan for suspicious network activity remain completely blind to the attack. The malware effectively arrives on the system through normal browser caching behavior, bypassing multiple layers of security protection.
Threat actors have rapidly incorporated this advanced FileFix method into their campaigns, with ransomware groups and other malicious operators already deploying it. Simultaneously, security researchers have identified a new automated tool called the “IUAM ClickFix Generator” that simplifies creating these social engineering lures. This kit allows attackers to design convincing fake verification pages mimicking legitimate services like Cloudflare, Microsoft Teams, and various other platforms.
The generated lures typically display counterfeit CAPTCHA challenges that instruct users to paste hidden commands into system terminals or dialog boxes. Recent campaigns have used these tactics to distribute information-stealing malware including DeerStealer for Windows and Odyssey for macOS, along with other unidentified payloads.
Security awareness training remains critically important for defending against these sophisticated social engineering attacks. Employees should understand the significant risks of copying and executing any text obtained from unfamiliar websites, particularly within system command interfaces.
(Source: Bleeping Computer)
