Clickfix

ClickFix is a malicious software (malware) that has been actively exploiting computers and devices, primarily through fake WordPress plug-ins. The malware campaign leverages these bogus plug-ins to inject JavaScript that leads to ClickFix fake browser updates. These updates use blockchain and smart contracts to obtain and deliver harmful payloads. A new variant of this malware, as described by domain registrar GoDaddy, spreads the malware via counterfeit WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner." GoDaddy has been tracking the ClickFix malware campaign since August 2023, identifying it on over 25,000 compromised sites worldwide. On September 2-3, GoDaddy reported that this new variant infected more than 6,000 WordPress sites within a 24-hour period. The malware also uses GitHub and suspicious websites, where users often encounter redirection chains leading them to fake CAPTCHA pages. ClickFix adapts its tactics to different operating systems, leveraging their unique behaviors. For instance, on macOS, users who click on a “fix it” prompt are guided through steps that initiate an automatic download and installation of malware in .dmg format. On Windows, ClickFix relies on either a malicious mshta or PowerShell command, depending on the infection cluster being used. ClickFix has also been found exploiting fake error messages across multiple platforms, such as Google Meet and Zoom, often mimicking error notifications on video conferencing pages to lure users. Beyond video platforms, ClickFix uses fake CAPTCHA pages that urge users to complete steps that activate malicious code, causing infections on both Windows and macOS systems. While GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. Analysts at Proofpoint first detailed ClickFix earlier this year.