Lazarus APT Deploys ClickFix to Exfiltrate Sensitive Intelligence Data

The notorious Lazarus APT group, tracked as APT-Q-1 by Qi’anxin, has evolved its social engineering tactics by incorporating ClickFix techniques into sophisticated phishing campaigns targeting both Windows and macOS systems.

Security researchers at Qi’anxin Threat Intelligence Center have uncovered a new attack campaign that leverages fake job postings to deploy the group’s signature BeaverTail malware and InvisibleFerret Python trojan.

Sponsored

class="wp-block-image size-full">

Lazarus, suspected of having Northeast Asian origins, gained international attention following its devastating 2014 attack on Sony Pictures.

Since then, the group has expanded its targets to include government agencies, financial institutions, cryptocurrency exchanges, and individual professionals across various industries.

The organization has consistently demonstrated proficiency in using fake social media accounts and fabricated employment opportunities as initial attack vectors.

Technical Analysis of the ClickFix Campaign

The latest campaign begins with victims receiving fraudulent job offers directing them to attacker-controlled interview websites.

During the simulated interview process, targets are informed that their camera configuration is faulty and requires immediate fixing. The supposed solution appears as an Nvidia software update, but actually serves as a delivery mechanism for malicious payloads.

The attack chain initiates through ClickFix-1.bat (MD5: f9e18687a38e968811b93351e9fca089), which downloads a malicious compressed package from hxxps://driverservices.store/visiodrive/nvidiaRelease.zip.

Upon execution, the script extracts and runs run.vbs, which performs system reconnaissance by checking the Windows BuildNumber to determine if the target is running Windows 11.

For Windows 11 systems specifically, the malware deploys drvUpdate.exe (MD5: 6175efd148a89ca61b6835c77acc7a8d), a sophisticated backdoor disguised as a driver update.

This backdoor establishes communication with the command-and-control server at 103.231.75.101:8888 and supports multiple functions, including command execution via cmd.exe, file read/write operations, and comprehensive system information collection.

The attack also verifies Node.js installation and subsequently executes main.js (MD5: b52e105bd040bda6639e958f7d9e3090), which contains the cross-platform BeaverTail stealer.

This malware component communicates with hxxp://45.159.248.110 and downloads additional Python-based InvisibleFerret trojans for persistent access.

Researchers identified parallel campaigns targeting macOS systems using similarly disguised packages named “arm64-fixer” and “arm64-fixernew.”

These variants maintain persistence through plist files located at ~/Library/LaunchAgents/com.local.drvierUpdate.plist while deploying identical BeaverTail malware functionality.

The Qi’anxin analysis reveals that Lazarus continues adapting proven social engineering methodologies, demonstrating that psychological manipulation often proves more effective than sophisticated technical exploits.

Organizations should implement comprehensive security awareness training and maintain vigilance when encountering unexpected software update prompts or job-related communications from unverified sources.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Lazarus APT Deploys ClickFix to Exfiltrate Sensitive Intelligence Data appeared first on Cyber Security News.