Cybersecurity experts have identified a new malicious campaign called JackFix, which targets users with deceptive advertisements that lead to fake adult sites. The result is a fake Windows Update page that tricks users into executing the ClickFix command.
Campaign Mechanics and Strategies
The JackFix campaign employs the mshta.exe tool to run JavaScript that instructs users to open the Windows Run dialog. By using the ClickFix command, these scripts download a PowerShell script that not only has obfuscation techniques but also includes malicious actions such as anti-analysis garbage code and privilege escalation with -Verb RunAs.
The script creates exceptions for itself in Microsoft Defender, which prevents it from being flagged as a threat. Multiple harmful payloads have been linked to this campaign, including the Rhadamanthys Stealer, Vidar Stealer 2.0, and RedLine Stealer, among others.
Detection and Mitigation Measures
Reports by Huntress indicate the existence of a multi-stage attack chain, using a Stego Loader to hide encrypted shellcode inside PNG images. This method leads to the deployment of further malware such as Lumma and Rhadamanthys.
- Domains involved include securitysettings[.]live, linked to IP 141.98.80[.]175.
- Russian developer comments have been found in site iterations.
- This attack tries to prevent users from escaping by disabling key functions like Escape and F11.
Organizations are recommended to train their employees to spot such fraudulent attempts and block malvertising. Another preventive measure includes disabling the Windows Run box using Registry changes.
