A sophisticated new campaign that represents the first documented real-world deployment of FileFix attacks beyond proof-of-concept demonstrations.
This campaign marks a significant evolution in social engineering tactics, combining advanced steganographic techniques with multilayered obfuscation to deliver the StealC information stealer through an innovative attack vector that builds upon the notorious ClickFix methodology.
Researchers from Acronis’ Threat Research Unit have uncovered a Fake Google Chrome error message used as a social engineering lure in ClickFix/FileFix phishing attacks
The emergence of FileFix represents the latest advancement in what security researchers collectively term “*Fix” attacks, which includes ClickFix, FileFix, PromptFix, and other variants that have proliferated rapidly in recent months.
These attacks fundamentally rely on social engineering to trick victims into executing malicious commands through their own systems, effectively turning users into unwitting accomplices in their own compromise.
ClickFix attacks have experienced explosive growth, with incidents surging by over 500% in recent months.
The technique typically masquerades as a CAPTCHA verification process, instructing users to press Win+R to open the Windows Run dialog, paste a supposedly harmless command with Ctrl+V, and execute it.
Despite the seemingly improbable nature of this attack vector, its effectiveness has been demonstrated across numerous campaigns ranging from commodity information stealers to nation-state operations deploying remote access trojans.
FileFix diverges from traditional ClickFix methodology by exploiting HTML file upload functionality instead of terminal access.
When victims interact with what appears to be a standard file upload button, they’re presented with a File Explorer window.
The attack then social engineers users into pasting malicious commands into the address bar of this window, which executes locally on their machine.
This approach offers potential advantages over conventional ClickFix attacks, as file upload windows are universally accessible across user environments, unlike terminal access which may be restricted in corporate settings.
Sophisticated Phishing Infrastructure
The discovered campaign employs a meticulously crafted phishing infrastructure centered around a convincing Facebook Security page simulation.
The attack likely begins with phishing emails masquerading as Facebook security notifications, alerting recipients to impending account suspension and directing them to the malicious site for remediation.
Upon reaching the phishing site, victims encounter an urgent scenario: their account has been reported and faces suspension within seven days, with permanent deletion threatened after 180 days of inaction.
The site provides an immediate appeal option, claiming that Meta’s team has shared a PDF file containing appeal instructions. To access this fabricated document, users are instructed to “open File Explorer” and paste the provided file path.
The social engineering proves particularly effective because it exploits familiar user behaviors. While many users have never accessed a terminal window, virtually everyone has used file upload functionality.
This familiarity, combined with the urgent tone and apparent legitimacy of the Facebook security context, creates a compelling scenario for user compliance.
Common malware attack techniques involving PowerShell, Windows registry manipulation, memory injection, and script-based methods
The phishing site demonstrates remarkable technical sophistication through extensive JavaScript obfuscation and anti-analysis measures.
The malicious code, originally comprising approximately 18,000 lines, has been minified into just 12 lines, significantly complicating analysis efforts.
Variables and function names consist of random letter combinations, code is fragmented throughout the script, and dead code creates multiple misdirection points.
Most notably, the site incorporates multilingual support with translations into 16 languages including Arabic, Russian, Hindi, Japanese, Polish, German, Spanish, French, Malay, and Urdu.
This extensive localization indicates a global targeting strategy and represents substantial investment in attack infrastructure development.
Campaign analysis reveals multiple site variants active within a two-week period, each featuring different payloads, techniques, and social engineering variations.
This rapid iteration suggests ongoing refinement and optimization of attack methodology, indicating a sophisticated threat actor committed to maximizing campaign effectiveness.
Steganographic Payload Delivery
The attack’s most innovative aspect involves its use of steganography to conceal malicious components within seemingly benign JPG images.
As we’ve observed the evolution of the payload in the past two weeks, we see the attacker moving from malicious domains that they control, such as elprogresofood[.]com, to hosting primarily on BitBucket.
The initial payload, delivered through the FileFix mechanism, consists of a heavily obfuscated PowerShell command that demonstrates several advanced evasion techniques:
The command fragments all classes and namespaces into separate variables that are reassembled during execution, significantly improving detection evasion.
To maintain the illusion of a legitimate file path, attackers append a variable containing extensive whitespace followed by a fake PDF path, ensuring only the benign path appears in the address bar while concealing the malicious commands.
Unlike typical ClickFix attacks that use the “#” symbol for command hiding, this approach employs variable manipulation, potentially bypassing detection systems specifically configured to identify traditional ClickFix patterns.
The payload size substantially exceeds typical ClickFix commands due to embedded Base64 encoding and variable fragmentation techniques.
Recent campaign iterations have introduced URL encryption through XOR operations with hardcoded keys, with encrypted URLs stored as hex bytes and decrypted during runtime.
The attack has also migrated from attacker-controlled domains to BitBucket hosting, further enhancing evasion capabilities while reducing infrastructure management overhead.
The infection chain employs a sophisticated multi-stage architecture beginning with steganographic extraction.
The initial payload downloads AI-generated landscape images—depicting scenes such as houses in meadows or macro photography of snails—to the victim’s temporary directory.
The second-stage script, stored in plaintext within the image file, establishes RC4 decryption and gzip decompression functions. It can extract multiple files from single images, supporting both DLL and executable formats.
Each extracted EXE file executes through conhost.exe before automatic deletion after 12 minutes, while the victim receives a fake “Cannot open file!” error message maintaining the deception.
StealC Information Stealer
The ultimate payload consists of a sophisticated loader written in Go, incorporating virtual machine detection capabilities and comprehensive string encryption.
The loader performs basic sandbox detection by decrypting a blocklist of graphics card names commonly associated with VM and sandbox environments, then queries system graphics devices through EnumDisplayDevicesA function calls.
String obfuscation extends to all API call names, with dedicated functions for decrypting and storing API references like EnumDisplayDevicesA and NtAllocateVirtualMemory during runtime.
Interestingly, the decryption function names themselves remain unencrypted, suggesting ongoing development and potential future enhancement.
Upon successful environment validation, the loader decrypts and executes shellcode that deploys StealC, a capable information stealer targeting extensive data categories.
StealC attempts credential harvesting from numerous browsers including Chrome, Firefox, Opera, Internet Explorer, Tencent QQ, Quark, UC Browser, Sogou Explorer, and Maxthon.
Cryptocurrency wallet targeting encompasses Bitcoin, Dogecoin, Raven, Daedalus, Mainnet, Blockstream, WalletWasabi, Ethereum, Electrum variants, Ledger Live, Exodus, ElectronCash, MultiDoge, Jaxx Liberty, Atomic Wallet, Binance, Coinomi, and Guarda.
Additional targets include messaging platforms like Thunderbird, Telegram, and Discord, VPN applications including OpenVPN and ProtonVPN, gaming platforms such as Ubisoft Game Launcher and Battle.net, plus cloud service credentials for Azure and AWS.
VirusTotal submission analysis indicates global campaign scope, with related files and phishing sites submitted from the United States, Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Serbia, Peru, China, Germany, and other locations. Combined with multilingual site support, this geographic distribution confirms international targeting intentions.
The campaign’s rapid evolution over two weeks demonstrates continuous refinement efforts. Initial attacks employed single-stage PowerShell payloads containing complete extraction and decryption scripts, evolving into the current two-stage architecture with support for multiple executable and DLL drops.
Recent iterations have introduced loading first-stage scripts from .log files hosted on BitBucket while maintaining core attack methodology.
Executable payload evolution shows progression from OLLVM-obfuscated binaries to current Go-based shellcode loaders, indicating ongoing technical development. Social engineering pretexts have also evolved from ID upload requirements for account deletion prevention to violation documentation viewing, though some legacy language remnants suggest rapid development cycles.
Mitigations
This campaign represents a significant milestone in *Fix attack evolution, demonstrating how proof-of-concept techniques can rapidly mature into sophisticated threat vectors.
The combination of FileFix social engineering, steganographic concealment, multi-stage obfuscation, and advanced evasion techniques creates a formidable challenge for traditional security controls.
The attack’s success highlights the critical importance of user education regarding social engineering tactics, particularly those exploiting familiar system functionality like file uploads.
Organizations should implement comprehensive security awareness training specifically addressing *Fix attack methodologies and maintain updated detection capabilities for obfuscated PowerShell execution and steganographic payload delivery.
As FileFix techniques continue evolving alongside traditional ClickFix methods, security teams must prepare for increasingly sophisticated social engineering campaigns that leverage legitimate system functionality to bypass technical controls and exploit human psychology for initial access and payload delivery.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
