Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   New FileFix attack weaponizes Windows File Explorer for stealthy commands (http://txgate.io:443/showthread.php?t=51301715)

Artifact 07-16-2025 08:58 AM
<div id="post_message_799341">

A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows.<br/>
<br/>
FileFix, a variation of the social-engineering attack called ClickFix, allows threat actors to execute commands on the victim system through the File Explorer address bar in Windows.<br/>
<br/>
Cybersecurity researcher <a href="https://twitter.com/mrd0x" target="_blank">mr.d0x</a> discovered the new method and demonstrated that it could be used in attacks targeting company employees using simple social engineering techniques.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/tag/clickfix/" target="_blank">ClickFix </a>attacks are browser-based and rely on tricking users into clicking on a button on a website that copies a command to Windows clipboard. Users are then instructed to paste the command into PowerShell or another command prompt to fix an issue.<br/>
<br/>
These types of attacks commonly masquerade as captchas or errors that prevent the user from using a site without first "fixing" the issue.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/security/attacks/i/iclicker/example-captcha-clickfix.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Example of a fake CAPTCHA in a ClickFix attack. Source: <a href="https://x.com/silentpush/status/1902557832014393767" target="_blank">SilentPush</a>
</td>
</tr>
</table>
</div><b><font size="4"><font color="White">The FileFix divergence</font></font></b><br/>
<br/>
In a ClickFix attack, when users click a website button, a malicious PowerShell command is automatically copied into the Windows clipboard followed by instructions to paste it into the command prompt through the Run Dialog (Win+R).<br/>
<br/>
mr.d0x found a way to achieve the same goal but by having the target paste the command in the more familiar user interface of Windows File Explorer.<br/>
<br/>
Since File Explorer can execute operating system commands, the researcher combined the functionality with the browser’s file upload feature and came up with a highly plausible scenario.<br/>
<br/>
FileFix attacks also rely on a phishing page, but the ruse is no longer presented as an error or issue. Instead, it may appear as a notification indicating that a file has been shared with the user and includes a request to paste the path into File Explorer to locate it.<br/>
<br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">
<font size="3">“The phishing page includes an “Open File Explorer” button that, when clicked, launches File Explorer through the file upload functionality and copies the PowerShell command to the clipboard” - <a href="https://mrd0x.com/filefix-clickfix-alternative/" target="_blank">mr.d0x</a></font>
</td>
</tr>
</table>
</div>However, to keep the deceit intact, an attacker can hide the malicious PowerShell command by concantenating a dummy file path within a PowerShell comment.<br/>
<br/>
This causes only the fake path to be initially seen in the File Explorer address bar, hiding the malicious PowerShell command that precedes it.<br/>
<br/>
A video demonstrating the new ClickFix variation shows that by placing the dummy file path as a comment after the PowerShell command, the malicious string is no longer visible to the user, and File Explorer executes it.<br/>
<br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">
<font size="3">https://vimeo.com/1095924933</font>
</td>
</tr>
</table>
</div>Since the attack requires a file upload button, the researcher carefully considered the FileFix method so that it avoids users accidentally selecting a file from the computer.<br/>
<br/>
In the proof-of-concept code for the phishing page, mr.d0x added a few lines that block file upload action “by intercepting the file selection event and immediately clearing the input.”<br/>
<br/>
If this happens, an attacker could display an alert informing users that they failed to follow the instructions and try again.<br/>
<br/>
<b><font size="4"><font color="white">ClickFix campaigns</font></font></b><br/>
<br/>
ClickFix attacks have proven to be a method so efficient to deploy malware on user systems that it has been used in <a href="https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/" target="_blank">ransomware attacks</a> and even <a href="https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/" target="_blank">state-sponsored groups used it</a>.<br/>
<br/>
North Korean state hacker group ‘Kimsuky’ included ClickFix elements in one of their campaigns where they used a PDF file to direct targets to a fake device registration link showing instructions to run PowerShell as administrator and paste code provided by the attacker.<br/>
<br/>
In a ClickFix campaign observed by Microsoft, cybercriminals <a href="https://www.bleepingcomputer.com/news/security/clickfix-attack-delivers-infostealers-rats-in-fake-bookingcom-emails/" target="_blank">impersonated Booking.com</a> to deliver infostealers and remote access trojans to hospitality workers.<br/>
<br/>
The attack method has also been <a href="https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/" target="_blank">adapted to Linux</a>, where a shell command is automatically copied to the clipboard after visiting a malicious website. The potential victim is then guided to open a Run dialog and execute the command.<br/>
<br/>
FileFix, although a variation, shows that such phishing attacks can be improved by switching command execution to an environment that is friendlier and more familiar to users.<br/>
<br/>
mr.d0x told BleepingComputer that he believes his FileFix attack will soon be adopted by threat actors due to its simplicity and use of a well-known Windows utility.<br/>
<br/>
In the past, cybercriminals quickly started using the researcher's <a href="https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attacks-target-cs2-players-steam-accounts/" target="_blank">browser-in-the-browser phishing technique</a>, showing that bad actors are constantly interested in learning about new attack methods.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-windows-file-explorer-for-stealthy-powershell-commands/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:40 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.