In the other campaign, Clickfix was observed posing as a Google Meet conference page. This fake page displays an error message claiming there is a technical issue and offers a fix. If a user clicks the “Fix It” button, they are led to a second pop-up with the option to “Try Fix” or “Try Again.” If a user selects “Try Fix,” a command will be copied to the user’s clipboard, which the user is instructed to paste into the Windows command line. If the script is executed, the following actions occur:
- The parent process (mshta.exe) is terminated.
- The executables for Stealc and Rhadamanthys malware are downloaded. After a two-second delay, the command and control (C2) server is notified if the executables have successfully run.
- The victim’s public IP address is retrieved and sent to the C2 server along with the execution status.
- Avoid clicking links and opening attachments in unsolicited emails.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually.
- Facilitate user awareness training to include these types of phishing-based techniques.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Consider leveraging behavior-based detection tools rather than signature-based tools.
- Phishing and other malicious cyber activity can be reported to the FBI's IC3 and the NJCCIC.
