90 Days of Intrusion: How Threat Actors Weaponized ClickFix

Proofpoint researchers observed a new trend: state-sponsored threat actors from North Korea, Iran, and Russia adopting a social engineering technique called “ClickFix” originally used by cybercriminals. ClickFix leverages fake dialogue boxes that guide users to manually run malicious PowerShell commands. Across a three-month period (late 2024 – early 2025), at least four distinct state-sponsored groups were documented integrating ClickFix into their attack chains, suggesting an evolving threat landscape where espionage actors borrow tactics from cybercrime.

Severity Level: High

VULNERABILITY OVERVIEW:

1. Threat Actors Involved
   • Groups affiliated with Russia (APT28), Iran (TA453), China (APT41), North Korea (Lazarus Group).
2. Initial Access (Phishing Emails):
   • Sent using spoofed senders (e.g., fake diplomats, Microsoft support).
   • Lures included meeting requests, urgent security updates, or collaborative document links.
   • Delivered either a benign-looking PDF or a malicious link.
3. Delivery (Link or Attachment led to):
   • A compromised site or attacker-controlled portal posing as a secure drive or Microsoft service.
   • Examples: Fake landing pages like securedrive.fin-tech[.]com, Microsoft Office or Secure Drive spoof sites.
4. Exploitation (ClickFix Social Engineering):
   • Fake pop-up windows instruct victims to:
     • Open a PowerShell terminal manually.
     • Copy and paste a provided command string.
     • Execute it to “fix” an alleged problem.
5. Execution(PowerShell Command Actions):
   • Downloaded additional malicious scripts or payloads.
   • Created scheduled tasks to maintain persistence.
   • Example: Downloading temp.vbs script running every 19 minutes, Loading second-stage payloads like QuasarRAT or RMM tools like Level.
6. Persistence and C2 Communication:
   • Scheduled Tasks and Payload Execution:
     • Created recurring jobs to reinitiate infection if interrupted.
   • Command and Control (C2):
     • Communication established with attacker infrastructure via HTTP/S or Empire Framework.
     • Example C2 IP: 38.180.157[.]197
7. Data Exfiltration or Further Malware Deployment
   • In some cases, attackers used:
     • Remote access via RMM tools.
     • Stealthy collection of clipboard data and web authentication attempts (UNK_RemoteRogue).
8. Target Sectors:
   • Finance, Government, Health, Education, Professional Services, Utilities, Energy, Real Estate, Software, Technology, Telecommunications.
9. Affected Regions:
   • The Middle East, the U.S.

Recommendations:

1. Implement continuous monitoring for anomalous activities across trusted SaaS platforms (e.g., unusual login attempts, access from unknown geographies).
2. Deploy advanced email security solutions capable of deep link inspection, including links pointing to legitimate but abused domains like ClickFix.
3. Conduct targeted phishing awareness training focusing on abuse of legitimate services, educating employees that even familiar platforms can be exploited.
4. Disable or heavily restrict PowerShell for non-administrative users.
5. Implement PowerShell Constrained Language Mode.
6. Use Windows Defender Application Control (WDAC) or AppLocker to block unauthorized scripts and binaries.
7. Monitor creation of unexpected Scheduled Tasks (e.g., tasks that run VBS scripts every few minutes).
8. Look for unauthorized installations of RMM tools such as Level, Atera, ScreenConnect.
9. Block the IOCs at their respective controls: https://www.virustotal.com/gui/collection/d48e52585e299f64854a21aae01de64d85eef578dd7a765ab1ba55357a228a7c/iocs

Source:

• https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.