ClickFix Attack Uses Windows Terminal to Evade Detection

The code achieves persistence using scheduled tasks, contains anti-malware evasion routines, and targets browser data and other sensitive information for exfiltration.In another variant of the attack, the malicious commands executed in Windows Terminal lead to a batch script executed via command prompt and through MSBuild.exe.“The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data,” Microsoft says.Another recently observed ClickFix attack variant, dubbedInstallFix, relies on cloned AI tool websites to trick victims into executing malicious commands, also leading to information-stealer infections.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

In another variant of the attack, the malicious commands executed in Windows Terminal lead to a batch script executed via command prompt and through MSBuild.exe.“The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data,” Microsoft says.Another recently observed ClickFix attack variant, dubbedInstallFix, relies on cloned AI tool websites to trick victims into executing malicious commands, also leading to information-stealer infections.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

“The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data,” Microsoft says.Another recently observed ClickFix attack variant, dubbedInstallFix, relies on cloned AI tool websites to trick victims into executing malicious commands, also leading to information-stealer infections.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Another recently observed ClickFix attack variant, dubbedInstallFix, relies on cloned AI tool websites to trick victims into executing malicious commands, also leading to information-stealer infections.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Related:Sophisticated ClickFix Campaign Targeting Hospitality SectorRelated:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Related:ClickFix Attacks Against macOS Users EvolvingRelated:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Related:New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Ionut Arghire is an international correspondent for SecurityWeek.

Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure.

Source: SecurityWeek