A cybersecurity researcher has unveiled a new attack method known as FileFix, which is a variant of the existing ClickFix social engineering attack. This innovative approach enables malicious actors to execute harmful commands on a victim’s system through the Windows File Explorer address bar.
The FileFix divergence
Discovered by researcher mr.d0x, FileFix operates similarly to ClickFix, which traditionally relies on users clicking a button on a malicious website that copies a command to their clipboard. Users are then prompted to paste this command into PowerShell or another command prompt to “fix” an issue. However, FileFix introduces a more familiar interface by directing users to paste commands into the Windows File Explorer.
In a typical ClickFix scenario, clicking a website button automatically copies a malicious PowerShell command to the clipboard, followed by instructions to execute it via the Run Dialog (Win+R). Mr.d0x’s innovation allows the command to be pasted directly into File Explorer, leveraging its ability to execute operating system commands.
The FileFix attack still relies on a phishing page, but rather than presenting itself as an error, it masquerades as a notification about a shared file, prompting users to paste a path into File Explorer to access it. As mr.d0x explains, “The phishing page includes an ‘Open File Explorer’ button that, when clicked, launches File Explorer through the file upload functionality and copies the PowerShell command to the clipboard.”
To maintain the illusion, attackers can obscure the malicious PowerShell command by concatenating a dummy file path within a PowerShell comment. This clever tactic ensures that only the fake path is visible in the File Explorer address bar, effectively hiding the malicious command from the user’s view. A demonstration video illustrates how this method works, showing that the malicious string remains concealed while File Explorer executes it.
[embedded content]
To further refine the FileFix method, mr.d0x implemented measures to prevent users from inadvertently selecting files from their computer during the attack. In the proof-of-concept code for the phishing page, he included lines that intercept the file selection event and clear the input immediately. If a user attempts to upload a file, an alert can be displayed, instructing them to follow the directions correctly.
ClickFix campaigns
The ClickFix attack method has proven remarkably effective for deploying malware, with its use extending to ransomware attacks and even state-sponsored operations. Notably, the North Korean hacker group Kimsuky incorporated ClickFix elements into their campaigns, directing targets to a fake device registration link that instructed them to run PowerShell as an administrator and execute provided code.
In another instance, Microsoft observed cybercriminals impersonating Booking.com to deliver infostealers and remote access trojans to hospitality workers through a ClickFix attack. This method has also been adapted for Linux systems, where a shell command is copied to the clipboard after visiting a malicious site, guiding the victim to execute it via the Run dialog.
FileFix, while a variation of ClickFix, demonstrates how phishing attacks can evolve by utilizing a more user-friendly environment for command execution. Mr.d0x expressed his belief that the simplicity and familiarity of the FileFix method will soon attract the attention of threat actors, as they are always on the lookout for new and effective attack strategies.
