Beware: Fake Windows Update Pushes Malware in ClickFix Attack

A new and highly deceptive cyberattack is tricking users into installing dangerous malware by disguising itself as a critical Windows security update. This sophisticated scheme, known as a ClickFix attack, uses a realistic-looking, full-screen browser animation that mimics the genuine Windows Update process. The ultimate goal is to steal sensitive information by deploying malware like LummaC2 and Rhadamanthys directly onto victims’ computers.

In these attacks, cybercriminals employ clever social engineering to convince people they need to complete a system update or pass a “human verification” check. The fake webpage provides specific instructions, telling the user to press a sequence of keys. Unbeknownst to them, this action pastes and executes malicious commands directly into the Windows Command Prompt, because the harmful code was secretly copied to their clipboard by JavaScript on the site.

Security experts from Huntress have identified that these new ClickFix variants are particularly dangerous because they use a technique called steganography to hide the final malware payload. Rather than attaching a malicious file in an obvious way, the attackers encode the harmful code directly within the pixel data of a standard PNG image. Specialized color channels are used to conceal the information, which is later reconstructed and decrypted in the computer’s memory to release the malware.

The infection process is complex and multi-staged. It begins by using a legitimate Windows tool, `mshta`, to run malicious JavaScript. This then triggers a series of steps involving PowerShell and a .NET assembly, referred to as a “Stego Loader.” This loader is responsible for the crucial task of extracting the encrypted final payload from the hidden location within the PNG file.

To further evade detection, the attackers implemented a dynamic evasion tactic. The malicious code’s entry point was designed to call thousands of empty functions, a method known as a “trampoline” or ctrampoline, which can confuse and slow down security analysis. Once the shellcode is successfully extracted from the image, it is unpacked using a tool called Donut, which is capable of executing various file types directly in memory.

In the attacks analyzed by researchers, this process ultimately delivered the LummaC2 and Rhadamanthys information stealers onto the compromised systems. These malware families are designed to harvest valuable data from infected machines, including login credentials, financial information, and cryptocurrency wallets.

While a recent law enforcement operation, known as Operation Endgame, disrupted some of the infrastructure used by the Rhadamanthys variant, the fake domains used in these attacks often remain active. Therefore, user vigilance remains the first line of defense.

To protect against these ClickFix attacks, cybersecurity professionals recommend several proactive measures. A key step is to consider disabling the Windows Run box to prevent the easy pasting of malicious commands. System administrators should also monitor for unusual process chains, such as the `explorer.exe` process unexpectedly launching `mshta.exe` or PowerShell. For those investigating a potential security incident, checking the RunMRU registry key can reveal if suspicious commands were recently entered by a user, providing a crucial clue for early detection.

(Source: Bleeping Computer)