Have you ever come across a bogus message on your computer, and thought, "Wait... could this be real?" That thought ran through my mind when I read about the ClickFix attack. The attack is presented in a way that can seem simple, but it's really crafted to trick individuals in a short period of time.
The page also copies a malicious command to your clipboard, without your permission. It tells you to press Win + R, paste the command and run it. You might be asking yourself, "how does it work so well?" Because most individuals are inclined to believe something that presents itself like a Windows screen.
After you run the command, the attacker installs malware on your computer.
This part is crazy.
• Do not paste commands into Run or PowerShell unless you 100% trust it.
• Close the tab if your web browser pops up a sudden Windows Update screen.
• Happen to see an unusual process running, such as PowerShell, that has no reason to be running?
• Disable Win + R. If you don't use it much, just turn it off.
• Look at your Run history (RunMRU) key if you think someone has been running suspicious commands.
What Is The ClickFix Attack?
This type of attack will generate a fake Windows Update screen inside your browser. It is accurately presented, to a point that most individuals cannot see the trick. You think Windows is updating, right? Wrong - instead, the hacker is preparing you.The page also copies a malicious command to your clipboard, without your permission. It tells you to press Win + R, paste the command and run it. You might be asking yourself, "how does it work so well?" Because most individuals are inclined to believe something that presents itself like a Windows screen.
After you run the command, the attacker installs malware on your computer.
How The Fake Upatde Misleads You
It expands the whole screen- The fake update takes over 100% of your screen.
- All the elements are there: the progress bars, the loading messages and even animations.
- It looks just like the real thing.
- The website takes advantage of JavaScript to covertly copy a command to your clipboard.
- Then it provides instructions that say, "Open Run and paste the command to complete the update."
- But that command will call mshta, PowerShell, and other tools to download the malicious software.
This part is crazy.
- The bad code is hidden inside a PNG image file.
- This method is called steganography.
- The malware loads to memory and accesses your data.
- It's usually an info-stealer like LummaC2 or Rhadamanthys.
Why This Attack Could Be Serious
- The update screen looks very legitimate.
- The malware is resident in memory, so many AV tools miss it.
- Users do not normally think that an update screen will prompt them to paste a command.
- This attack generally includes a multi-stage chain making it that much harder to detect.
How You Can Stay Safe
There are a few easy steps you and I can use to avoid this attack:• Do not paste commands into Run or PowerShell unless you 100% trust it.
• Close the tab if your web browser pops up a sudden Windows Update screen.
• Happen to see an unusual process running, such as PowerShell, that has no reason to be running?
• Disable Win + R. If you don't use it much, just turn it off.
• Look at your Run history (RunMRU) key if you think someone has been running suspicious commands.