Summary
- Full-screen fake Windows Update or captcha tricks users into pasting and running attacker commands.
- Malware is steganographically stored in PNG pixels; a .NET Stego Loader extracts, decrypts, and runs it in memory.
- Clipboard trick makes victims paste commands; loader downloads image and runs 10,000 empty funcs to evade analysis.
Social engineering attacks are probably still among the most used ways to actually infect a computer or steal someone’s data. A well executed social engineering attack can have some pretty nasty consequences. This one even involves a fake Windows Update screen to round things up.
Cybersecurity researchers have uncovered a sophisticated evolution in “ClickFix” social engineering attacks, where threat actors are now combining realistic fake Windows Update animations with advanced social engineering techniques to compromise systems. In case you don’t know what a ClickFix attack is, its goal is to trick the user into performing an action that security software typically blocks when performed automatically.
In these new variants, victims encounter full-screen browser pages mimicking a critical Windows security update or a “human verification” captcha. The page instructs the user to press a specific sequence of keys to resolve an error or verify their identity. Unbeknownst to the user, JavaScript running on the malicious site has already copied a malicious command to their clipboard. When the user follows the key-press instructions (often involving pasting into the Windows Run box or Command Prompt), they inadvertently execute the attacker’s code.
It’s actually pretty smart, and that’s why it’s scary. What makes this specific campaign distinct is the use of steganography to conceal the malware payload. Rather than downloading a recognizable malicious file, the attackers hide the code inside the pixel data of PNG images. Huntress researchers explained that the malicious code is encoded directly within specific color channels of the image. To a casual observer or a basic security scan, the file appears to be a harmless image. However, the attack chain includes a .NET assembly known as a “Stego Loader.” This loader is responsible for parsing the image, extracting the encrypted payload from the pixels, and decrypting it in memory.
The way this works is that you visit a website displaying a fake full-screen error, such as a stuck Windows Update or a “verify you are human” check. Background scripts on the site secretly copy malicious code to your computer’s clipboard. The screen instructs you to open the Windows “Run” prompt and paste the text to “fix” the issue, and once you hit “enter,” the command downloads a seemingly harmless image file, which actually contains the malware that’s then decrypted by the Stego Loader. The entry point function initiates calls to 10,000 empty functions to exhaust or confuse analysis tools before executing the real payload.
You or I probably wouldn’t be victims of this. But think of an older person who might be fooled by this—maybe by clicking on the wrong link online. A disaster waiting to happen. To prevent this, you can disable the Run box on your grandpa’s PC, but there’s not a lot else you can do.
Source: Bleeping Computer
