- Hunt.io researchers saw a clickfix attack based on Linux
- At the moment, it is still harmless
- Researchers believe that a Pakistani threat actor is behind the attacks
Clickfix, a type of attack that deceives people to execute console commands to download malware, thinking they are solving a problem, it is evolving once again.
This time, Hunt.io cybersecurity researchers said they also saw the attack aimed at Linux devices.
Originally, Clickfix was designed for Windows devices, but at some point it has also expanded to Macos. Linux was, for the most part, saved. Until now.
Clickfix Linux strikes
Clickfix works in a simple way: a website is compromised and used to show an emerging window. That emerging window usually tells the visitor that he needs to “update” his browser to see the content, or pass a captcha test to confirm that they are human.
This “update” or “verification” process requires the user to copy a command to the clipboard, apart from the executing program (in Windows), Péal and executing it. It may sound like a stretch, but it is relatively successful, since many cyber security companies have been warning about new clickfix campaigns that emerge from left to right.
Hunt.io has attributed this new series of attacks on a Pakistani threat actor named APT36 or transparent tribe. Use a false website from the Ministry of Defense of India, which contains a link to a false press release. When a victim tries to navigate to the press release, the site analyzes its operating system and then redirects them to the corresponding attack flow.
For Linux, the victims are redirected to a captcha page that copy a Shell command when they click on the “I am not a robot” button. Then they are asked to press ALT+F2 to mention the Linux execution dialog, and hit and execute the command.
The good news is that the attack was seen while it was still in an experimental phase, which means that it has not yet caused any significant damage. Apparently, everything that the Shell command does is download a harmless JPEG file. However, things could become sour at any time.
“No additional activity was observed, such as persistence mechanisms, side movement or departure communication, during execution,” the researchers explained.
Through Bleepingcomputer
