New FileFix attack uses steganography to drop StealC malware

A newly discovered FileFix social engineering attack impersonates Meta account suspension warnings to trick users into unknowingly installing the StealC infostealer malware.

FileFix is a new variant of the ClickFix family of attacks, which uses social engineering attacks to trick users into pasting malicious commands into operating system dialog boxes as supposed “fixes” for problems.

The FileFix technique was created by red team researcher mr.d0x, and instead of convincing users into pasting malicious PowerShell commands into the Windows Run dialog or terminal, FileFix abuses the address bar in File Explorer to execute the commands.

This is not the first time FileFix has been used in attacks, with the Interlock ransomware gang previously using FileFix to install its remote access trojan (RAT). However, these earlier attacks utilized the original FileFix proof-of-concept (PoC), rather than evolving it with new lures.

New FileFix campaign

The new campaign, discovered by Acronis, uses a multi-language phishing page that poses as Meta’s support team, warning recipients that their account will be disabled in seven days unless they view an “incident report” allegedly shared by Meta.

However, this report is not actually a document, but a disguised PowerShell command used to install malware on targets’ devices.

The phishing page tells users to click the “Copy” button to copy what appears to be a file path, click on the open File Explorer button, and then paste the path into the File Explorer address bar to open the document.

However, clicking the Copy button actually copies a PowerShell command with added spaces into the Windows clipboard, so that only the file path is shown when pasted into File Explorer.

“In order to trick the user into thinking that they are pasting the path to an ‘incident report’ PDF file, the attacker has placed a variable at the end of the payload, which contains a lot of spaces and the fake path at the end,” explains Acronis.

“This is done so that only the file path would appear in the address bar, and none of the actual malicious commands. In an average ClickFix attack, this is done using the # symbol instead of a variable, which is taken by PowerShell as a developer comment.”

“This has the unintentional advantage that anyone who has built their detections to look for the “#” symbol from ClickFix, is likely to miss this.”

This FileFix campaign stands out as it uses steganography to hide both a second-stage PowerShell script and encrypted executables inside what appears to be a harmless JPG image hosted on Bitbucket.

The first-stage PowerShell command, unknowingly entered by the target, first downloads the image, extracts the embedded secondary script, which is then used to decrypt the payloads in memory.

The final payload is the StealC infostealer malware, which attempts to steal the following data from infected devices:

• Credentials and authentication cookies from web browsers (Chrome, Firefox, Opera, Tencent, etc.)
• Credentials from messaging apps (Discord, Telegram, Tox, Pidgin)
• Cryptocurrency wallets (Bitcoin, Ethereum, Exodus, etc.)
• Cloud credentials (AWS, Azure)
• VPN and gaming apps (ProtonVPN, Battle.net, Ubisoft)
• Ability to take a screenshot of the active desktop.

Acronis reports that multiple variants of this campaign were observed over two weeks, using different payloads, domains, and lures.

“Throughout our investigation, we’ve uncovered several iterations of the attack, going back two weeks,” observed Acronis.

“Through these iterations, we can trace out an evolution of both the social engineering technique, and the more technical aspects of the attack.”

“Perhaps this is indicative or an attacker testing out an infrastructure they are planning to use in the future, or perhaps these are iterations added to the attack mid campaign, as the attacker learns to adapt and improve.”

While most organizations have educated their employees on phishing tactics, ClickFix and FileFix tactics remain relatively new and continue to evolve.

Acronis recommends that companies educate their users on these new tactics and the risks of copying data from a website into seemingly harmless system dialogs.