Recommended reading

New ClickFix campaign spotted hitting both Windows and Linux machines

News
By published

ClickFix is evolving once again

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Researchers from Hunt.io saw a Linux-based ClickFix attack
  • At the moment, it is still harmless
  • The researchers believe a Pakistani threat actor is behind the attacks

ClickFix, a type of attack that tricks people into running console commands to download malware, thinking they’re fixing a problem, is evolving once again.

This time, cybersecurity researchers from Hunt.io said they spotted the attack targeting Linux devices, as well.

Originally, ClickFix was designed for Windows devices but has, at some point, expanded into macOS, as well. Linux was, for the most part, spared. Until now.

TechRadar Pro readers can get 60% off Premium Plans at RoboForm now!

TechRadar Pro readers can get 60% off Premium Plans at RoboForm now!

New users can take advantage of RoboForm’s exclusive deal and get 60% off the Premium Plan. With this deal, you can get unlimited password storage, one-click login & autofill, password sharing, two-factor authentication for added protection, cloud backup, and emergency access for trusted contacts. To claim this deal, visit this link and sign up for the Premium Plan to lock in this huge discount.

Preferred partner (What does this mean?)

View Deal

ClickFix strikes Linux

ClickFix works in a simple way - a website is compromised and used to show a popup. That popup usually tells the visitor that they need to “update” their browser to view the content, or pass a CAPTCHA test to confirm that they’re human.

That “update” or “verification” process requires the user to copy a command to the clipboard, bring up the Run program (on Windows), paste and run it. It may sound like a stretch, but it’s relatively successful, since many cybersecurity companies have been warning about new ClickFix campaigns emerging left and right.

Hunt.io has attributed this newest string of attacks to a Pakistani threat actor called APT36, or Transparent Tribe. It uses a fake Ministry of Defense of India website, containing a link to a fake press release. When a victim tries to navigate to the press release, the site analyzes their OS, and then redirects them to the corresponding attack flow.

For Linux, the victims are redirected to a CAPTCHA page that copies a shell command when they click the “I’m not a robot” button. They are then asked to press ALT+F2 to bring up the Linux run dialog, and paste and run the command.

The good news is that the attack was spotted while still in experimental phase, meaning it hasn’t caused any significant damage, yet. Apparently, all the shell command does is download a harmless JPEG file. Things could turn sour at any point, however.

"No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution," the researchers explained.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.