CyberSecurity news
Puja Srivastava@Sucuri Blog
//
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.
The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views.
Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns.
ImgSrc: blog.sucuri.net
References :
- Sucuri Blog: Fake Google Meet Page Tricks Users into Running PowerShell Malware
- securityonline.info: Fake Google Meet Page Tricks Users into Running Malware
- gbhackers.com: How Google Meet Pages Are Exploited to Deliver PowerShell Malware
- securityaffairs.com: Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.
- securityonline.info: Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,†where fake CAPTCHA prompts embedded in
- Know Your Adversary: I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows.
Classification:
- HashTags: #Phishing #PowerShell #Malware
- Company: Sucuri
- Target: Google Meet Users
- Product: Google Meet
- Feature: Fake Pages
- Type: Malware
- Severity: Medium