FileFix is a new variant of the social engineering attack known as ClickFixdesigned for run commands malicious from the address bar of File Explorer in Windows. Discovered by the investigator mr.d0xthis method does not require exploits complex technical, but that is based on the hoax the user to perform actions in seemingly innocuous. Takes advantage of the fact that File Explorer-you can run system commands if you are inserted in your address bar.
Keypoints
FileFix is a new variant of the social engineering attack known as ClickFixdesigned for run commands malicious from the address bar of File Explorer in Windows. Discovered by the investigator mr.d0xthis method does not require exploits complex technical, but that is based on the hoax the user to perform actions in seemingly innocuous. Takes advantage of the fact that File Explorer-you can run system commands if you are inserted in your address bar.
Input vectors
The attack begins with a page of phishing that simulates a notification legitimate file-sharing. The user is invited to “open File Explorer” using a button that launches the function to upload files from the browser. This action copy a command in PowerShell to clipboard and instructs the user to paste it in the Browser. The trick: the command malware is hidden inside a comment with a route a fake pretending to be legitimate, to evade visual detection by the user.
Details about campaigns
FileFix has not yet been observed in the campaigns to be real, but its predecessor, ClickFix it has already been used by criminal groups and APTs. For example, the group north Korean Kimsuky integrated into a campaign that led the user to run commands from PowerShell to register in a course device. Another case featured: crooks posed by Booking.com to infect employees of the hospitality industry with infostealers and RATs.
Malware and actors involved in the use of ClickFix
Although FileFix you do not yet have a clear mandate, ClickFix has been exploited in attacks with ransomware, infostealers and RATs, and has been observed in the campaigns of Kimsuky, a well-known actor state north korea. His record shows that the actors of threats to state and criminals are very attentive to new techniques such as this.
Historical context of ClickFix
ClickFix is popularized by its simulation of CAPTCHAs false or technical errors that asked the user to run commands to "fix the problem". FileFix evolving this technique when you use an environment more everyday for the user as it is the File Explorer, raising its potential rate of success.
Recommendations Amber Solutions
This type of attacks are directly linked to the social engineering, which makes them difficult to detect with conventional technical solutions. From Amber Solutions, our services of Pen Testing and Simulations of Phishing are key to evaluate the degree of exposure of your organization in the face of these methods. In addition, our team of Threat Intelligence it can help you to detect active campaigns related and generate proactive alerts.
Remember: attacks as FileFix and ClickFix take advantage of the trust of the user interfaces known, this is why awareness, simulation, and continuous monitoring are essential. FileFix requires no vulnerabilities, only to carelessness. And here is where Amber Solutions can help you anticipate before it's too late.
FileFix is the evolution of the ClickFix, and everything indicates that we will soon see campaigns real advantage of this technique.
