ClickFix attack uses fake Windows BSOD screens to push malware

A new ClickFix social engineering campaign is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into manually compiling and executing malware on their systems.

A BSOD is a Windows crash screen displayed when the operating system encounters a fatal, unrecoverable error that causes it to halt.

In a new campaign first spotted in December and tracked by researchers at Securonix as “PHALT#BLYX,” phishing emails impersonating Booking.com led to a ClickFix social engineering attack that deployed malware.

ClickFix attack impersonated BSOD crashes

ClickFix social engineering attacks are webpages designed to display an error or issue and then offer “fixes” to resolve it. These errors could be fake error messages, security warnings, CAPTCHA challenges, or update notices that instruct visitors to run a command on their computer to fix the issue.

Victims end up infecting their own machines by running malicious PowerShell or shell commands provided in the attacker’s instructions.

In this new ClickFix campaign, attackers send phishing emails that impersonate a hotel guest cancelling their Booking.com reservation, typically sent to a hospitality firm. The claimed refund amount is significant enough to create a sense of urgency for the recipient of the email.

Clicking the link in the email takes the victim to a fake Booking.com website hosted on ‘low-house[.]com,’ which Securonix characterizes as a “high-fidelity clone” of the real Booking.com site.

“The page utilizes official Booking.com branding, including the correct color palette, logos, and font styles. To the untrained eye, it is indistinguishable from the legitimate site,” reports Securonix.

The site hosts malicious JavaScript that displays a fake “Loading is taking too long” error to the target, prompting them to click a button to refresh the page.

However, when the target clicks the button, the browser instead enters full-screen mode and displays a fake Windows BSOD crash screen that initiates the ClickFix social engineering attack.

The screen prompts the person to open the Windows Run dialog box and then press CTRL+V, which pastes a malicious command copied to the Windows clipboard.

The user is then prompted to press the OK button or Enter on their keyboard to execute the command.

Real BSOD messages do not offer recovery instructions and only display an error code and a reboot notice, but inexperienced users or hospitality staff under pressure to resolve a dispute may overlook these signs of trickery.

Pasting the provided command runs a PowerShell command that opens a decoy Booking.com admin page. At the same time, in the background, it downloads a malicious .NET project (v.proj) and compiles it with the legitimate Windows MSBuild.exe compiler.

When executed, the payload adds Windows Defender exclusions and triggers UAC prompts to gain admin rights, before it downloads the primary loader using the Background Intelligent Transfer Service (BITS) and establishes persistence by dropping a .url file in the Startup folder.

The malware (staxs.exe) is DCRAT, a remote access Trojan commonly used by threat actors for remote access to infected devices.

The malware is injected into the legitimate ‘aspnet_compiler.exe’ process using process hollowing and executed directly in memory.

Upon first contact with the command-and-control (C2) server, the malware sends its full system fingerprint and then waits for commands to execute.

It supports remote desktop functionality, keylogging, reverse shell, and in-memory execution of additional payloads. In the case observed by Securonix, the attackers dropped a cryptocurrency miner.

With remote access established, the threat actors now have a foothold on the target’s network, allowing them to spread to other devices, steal data, and potentially compromise other systems.

Adblock test (Why?)