New ClickFix campaign spotted hitting both Windows and Linux machines
ClickFix is evolving once again and this time, it's targeting Linux, too.
- Researchers from Hunt.io saw a Linux-based ClickFix attack
- At the moment, it is still harmless
- The researchers believe a Pakistani threat actor is behind the attacks
ClickFix, a type of attack that tricks people into running console commands to download malware, thinking they’re fixing a problem, is evolving once again.
This time, cybersecurity researchers from Hunt.io said they spotted the attack targeting Linux devices, as well.
Originally, ClickFix was designed for Windows devices but has, at some point, expanded into macOS, as well. Linux was, for the most part, spared. Until now.
TechRadar Pro readers can get 60% off Premium Plans at RoboForm now!
New users can take advantage of RoboForm’s exclusive deal and get 60% off the Premium Plan. With this deal, you can get unlimited password storage, one-click login & autofill, password sharing, two-factor authentication for added protection, cloud backup, and emergency access for trusted contacts. To claim this deal, visit this link and sign up for the Premium Plan to lock in this huge discount.
Preferred partner (What does this mean?)View Deal
ClickFix strikes Linux
ClickFix works in a simple way - a website is compromised and used to show a popup. That popup usually tells the visitor that they need to “update” their browser to view the content, or pass a CAPTCHA test to confirm that they’re human.
That “update” or “verification” process requires the user to copy a command to the clipboard, bring up the Run program (on Windows), paste and run it. It may sound like a stretch, but it’s relatively successful, since many cybersecurity companies have been warning about new ClickFix campaigns emerging left and right.
Hunt.io has attributed this newest string of attacks to a Pakistani threat actor called APT36, or Transparent Tribe. It uses a fake Ministry of Defense of India website, containing a link to a fake press release. When a victim tries to navigate to the press release, the site analyzes their OS, and then redirects them to the corresponding attack flow.
For Linux, the victims are redirected to a CAPTCHA page that copies a shell command when they click the “I’m not a robot” button. They are then asked to press ALT+F2 to bring up the Linux run dialog, and paste and run the command.
The good news is that the attack was spotted while still in experimental phase, meaning it hasn’t caused any significant damage, yet. Apparently, all the shell command does is download a harmless JPEG file. Things could turn sour at any point, however.
"No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution," the researchers explained.
Via BleepingComputer
You might also like
- US deportation airline GlobalX website defaced by hackers, data stolen
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
