A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victim’s system and bypass security software.
The new phishing and social engineering attack impersonates the “Fortinet VPN Compliance Checker” and was first spotted by a cybersecurity researcher. P4nd3m1cb0yWho shared information about it on X.
In a new report from a cyber security firm expelledCybersecurity researcher Marcus Hutchins has shared more details about how this attack works.
For those who are not familiar with FileFix attacks, it is a variant of the ClickFix social engineering attack developed by Mr.d0x. Instead of tricking users into pasting malicious commands into operating system dialogs, it uses the Windows File Explorer address bar to secretly execute PowerShell scripts.
FileFix attack evolves with cache smuggling
In the new phishing attack, a website displays a dialog that poses as the Fortinet VPN “Compliance Checker,” instructing users to paste what looks like a valid network path to the Fortinet program on a network share.
Source: Expelled
While the lure path displays “\Public\Support\VPN\ForticlientCompliance.exe” when copied to the clipboard, it is actually much longer, as it contains 139 spaces to hide the malicious PowerShell command.
Because of this padding, when a visitor follows the instructions to open File Explorer and paste a command into the address bar, only the path is displayed, as seen below.
Source: Expelled
However, when a person presses Enter on the keyboard, Windows runs the following hidden PowerShell command through conhost.exe in headless mode, so it is not visible to the user.
Source: Expelled
The PowerShell command first creates the %LOCALAPPDATA%\FortiClient\compliance folder, then copies Chrome’s cache files from %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\ to that folder.
The script then scans each cache file using regular expressions to find the content between “bTgQcBpv” and “mX6o0lBw”. This content is actually a zip file stored in the fake image file, which is extracted and unzipped to ComplianceChecker.zip.
The script then launches the FortiClientComplianceChecker.exe executable from the extracted archive to execute the malicious code.
You might be wondering how the malicious file was stored in Chrome’s cache files in the first place, and this is where a cache smuggling attack comes into play.
When a visitor accessed a phishing page containing the FileFix lure, the website executed JavaScript that instructed the browser to retrieve an image file.
As the HTTP response states that the image received is of type “image/jpeg”, the browser automatically caches it on the file system, treating it as a valid image file, even though it is not.
As this was done before the Powershell command was executed through File Explorer, the file was already present in the cache, and the zip file could be extracted from it.
“This technique, known as cash smugglingEnables malware to bypass many different types of security products,” Hutchins explains.
“Neither the webpage nor the Powershell script explicitly downloads any files. By simply allowing the browser to cache the fake “image”, the malware is able to get an entire zip file onto the local system without any web requests or powershell commands.”
“As a result, any tool scanning downloaded files or looking for PowerShell scripts executing web requests will not detect this behavior.”
The new FileFix technology has seen rapid adoption by threat actors soon after it was disclosed, with ransomware gangs and other threat actors using it in their campaigns.
ClickFix expands generator ecosystem
In addition to the new cache-smuggling FileFix variant, researchers palo alto unit 42 A new clickfix kit called “IUAM Clickfix Generator” was discovered, which automates the creation of clickfix-style lures.
ClickFix Generator’s interface allows attackers to design fake verification pages, customize page titles and text, select color schemes, and configure clipboard payloads.
Source: Unit 42
The kit also supports OS detection, generating PowerShell commands for Windows or Base64-encoded shell commands for macOS, while sometimes also providing harmless decoys for other operating systems.
All lures appear to include some type of fake Cloudflare CAPTCHA, with researchers creating several websites that use generated lures.
These websites claim to be affiliated with Cloudflare, Speedtest, Microsoft Teams, Cloud, TradingView, Microsoft, and Microsoft 365, among others.
Source: BleepingComputer
While each lure is customized to the attacker’s campaign, the behavior remains the same, displaying a fake Cloudflare CAPTCHA that prompts users to run a hidden command in a command prompt, Run dialog, or terminal.
In the campaign observed by Unit 42, social engineering attacks were used to infect devices with the Deerstealer (Windows) and Odyssey (Mac) InfoStealer malware, as well as another unknown payload for Windows.
As these types of social engineering attacks have become increasingly popular among threat actors, it is essential to educate employees on the importance of not copying text from a website and running it in an operating system dialog box.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
