Clickfix

Malware updated a month ago (2024-11-29T14:53:32.712Z)
Download STIX
Preview STIX
ClickFix is a malicious software (malware) that has been actively exploiting computers and devices, primarily through fake WordPress plug-ins. The malware campaign leverages these bogus plug-ins to inject JavaScript that leads to ClickFix fake browser updates. These updates use blockchain and smart contracts to obtain and deliver harmful payloads. A new variant of this malware, as described by domain registrar GoDaddy, spreads the malware via counterfeit WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner." GoDaddy has been tracking the ClickFix malware campaign since August 2023, identifying it on over 25,000 compromised sites worldwide. On September 2-3, GoDaddy reported that this new variant infected more than 6,000 WordPress sites within a 24-hour period. The malware also uses GitHub and suspicious websites, where users often encounter redirection chains leading them to fake CAPTCHA pages. ClickFix adapts its tactics to different operating systems, leveraging their unique behaviors. For instance, on macOS, users who click on a “fix it” prompt are guided through steps that initiate an automatic download and installation of malware in .dmg format. On Windows, ClickFix relies on either a malicious mshta or PowerShell command, depending on the infection cluster being used. ClickFix has also been found exploiting fake error messages across multiple platforms, such as Google Meet and Zoom, often mimicking error notifications on video conferencing pages to lure users. Beyond video platforms, ClickFix uses fake CAPTCHA pages that urge users to complete steps that activate malicious code, causing infections on both Windows and macOS systems. While GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. Analysts at Proofpoint first detailed ClickFix earlier this year.
Description last updated: 2024-11-05T22:02:40.465Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Clearfake is a possible alias for Clickfix. ClearFake is a malicious software, or malware, that has been identified as a significant threat to cybersecurity. Its primary method of propagation is through fake browser updates, encouraging users to copy and execute harmful PowerShell commands. This deceptive approach enables cybercriminals to in
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Credentials
PowerShell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Clickfix Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more