A new expedition to employ clickfix attacks, using instructions, has been seen targeting both Windows and Linux system that make infections possible on the operating system.
Clickfix is a social engineering strategy where fake verification systems or application errors are used to run website visitors in console commands that install malware.
These attacks have traditionally targeted the Windows System, which induces goals to execute the powerrashel script from the Windows Run Command, resulting in information-star malware infection and even ransomware.
However, the 2024 campaign also targeted MACOS users using Bogus Google Meat Errors.
Clickfix Linux users target
Viewed by another recent campaign Hunt.IO Researcher Last week is one of the first people to customize this social engineering technology for the Linux system.
The attack, which is attributed to Pakistan -related threats APT36 (aka “transparent tribe”), uses a website that allegedly implements India’s Ministry of Defense with a link to the official press release.
Source: Hunt.io
When visitors click on this website link, they are profiled by platform to determine their operating system, and then redirected into the flow of the correct attack.
On Windows, the victims are served a full-screen page, which warns them of limited material use rights. Clicking on ‘release’ leads to JavaScript trigger that copies a malicious MSHTA command on the victim’s clipboard, which is instructed to paste and execute it on the Windows Terminal.
It launches an .NET-based loader that connects to the attacker’s address, while users see everything valid and a decoy PDF file as expected.
On Linux, the victims mimic a shell command on their clipboard when clicking on a captcha page that is redirected on a captcha page.
The victim is then directed to press the Alt+F2 to open a Linux Run Dialog, paste the command in it, and then press enter To execute it.
Source: Hunt.io
The command leaves the ‘Mapeal.sh’ payload on the system of the target, which according to the Hunt.IO, does not perform any malicious action in its current version, limited to bringing JPEG image from the attacker’s server.
Source: Bleepingcomputer
“The script directs a jPEG image from the same Trade4Wealth (.) In the directory and opens it in the background,” Hunt.IO describes it.
“Any additional activity, such as perseverance mechanisms, lateral movement or outbound communication, was seen during execution.”
However, it is possible that APT36 is currently experimenting to determine the effectiveness of the Linux transition chain, as they will simply need to swap the image for a shell script to install malware or do other malicious activity.
Clickfix adaptation to carry out attacks on Linux is another will for its effectiveness, as the type of attack is now used against all three major desktop OS platforms.
As a general policy, users should not copy and paste any command in the run dialogue, without knowing what the command does. Doing this only increases the risk of malware infection and theft of sensitive data.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
