A new social engineering “hack yourself” attack that tricks victims into executing malware through seemingly innocent file upload processes has been discovered by backup and disaster recovery company Acronis’ Threat Research Unit.
Named “FileFix”, the campaign is a refined take on so-called ClickFix attacks, in which threat actors social engineer targets into running malicious commands and installing malware on their computers.
Unlike traditional ClickFix attacks that rely on fake CAPTCHA prompts or Windows operating system Run dialogues, FileFix exploits file upload interfaces on phishing websites.
The attack begins when users visit convincing phishing sites that masquerade as legitimate platforms such as Meta/Facebook Security.
Victims are instructed to paste what appears to be a file system path into a file selector dialogue box on their web browsers.
However, the “file path” in question is actually an obfuscated Microsoft PowerShell script that executes immediately when pasted.
The attack relies on the user’s own action to launch malware, Acronis’ research said.
As the initial PowerShell payload runs, it downloads malicious JPEG images that contain malware code embedded through steganographic techniques, hiding a secondary script with executable payloads that are encrypted with RC4.
The steganographic system can accommodate multiple files within a single image, with the script capable of delivering both DLL and executable files by specifying different start and end byte indexes for each payload.
Using a steganography approach allows attackers to bypass signature-based detection systems that typically scrutinise executable files.
Next, the PowerShell script extracts and executes the concealed code from within the seemingly harmless image files.
A final stage deploys a Go-based loader that performs environment checks before launching StealC, an information-stealing malware.
Acronis has documented multiple variants of the attack emerging within a two-week period.
Global infrastructure supports the multilingual campaign, with phishing sites and malware submissions traced across multiple countries.
Acronis suggested that user education with training to recognise suspicious copy-and-paste operations on their computers is a good idea to stop people from compromising themselves.
Source link
