ClickFix Fake Blue Screen Tricked Victims into Installing Malware

ClickFix, this time using a fake blue screen, tricked the victim into installing malware as ordered on the screen.

The strategy of tricking the victim to correct a fake error to embed malware into the victim machine, or ClickFix, is known as a popular method that is being widely used in many different ways, and this time the strategy comes with a new method of tricking the victim.

According to a report by the website Bleeping Computer, a new method of ClickFix deception has been detected, which typically uses fake Captcha on hacked websites or hacker fake websites to trick victims into following Captcha, but this time it is a fake BSOD or Blue Screen of Death with instructions for the victim to follow to correct the screen, which, if the victim follows, eventually leads to malware infection.

This new type of campaign scam starts with hackers tricking victims into fake websites that make imitations of Booking.com, which are websites for hotel reservations. These fake websites often use domain names such as' low-house [.] com '. After the victim enters the site, after the victim has surfed the site for a while, there will be a pop-up screen warning that "Loading is taking too long" or that the loading is too long. This is a JavaScript operation embedded on the site. If the victim clicks the button on the bounce screen, the fake screen will be turned on. The screen came up immediately.

In this fake screen, the victim will turn on Run, a feature for running the code, using the Windows + R logo button. After that, in the next step, the screen will instruct the victim to press the CTRL + V button to automatically paste the malware code that the script copied. In the end, the victim will press OK or enter button to run the code. If the victim believes it will be immediately infected with malware. These steps will not be different from any other form of ClickFix scam, but only with the panic of the appearance of the sky screen for the victim. It's only easier to get fooled.

As for the code, the research team determined that it was a code in the form of a PowerShell script that would lead to the reopening of the fake Admin Panel of the fake Booking website to deceive the victim, while in the background it would download the first payload file. NET project (v.proj) is codified with a Windows tool called MSBuild.exe, and after the code in the file has been successfully executed, the malware will add itself and related files to the Exclusion List of Windows Defender protection tools, and then send a Prompt command to the UAC or User Account Control to gain access to the system at a high level, and then download the malware through a tool called Background Intelligent Transfer Service (BITS), which will be created at this stage. Persistence by placing a .Url file in the Startup folder to guarantee that the malware will run on the system at any time and then downloading the real malware file called staxs.exe on the machine.

This file is a remote access Trojan file called DCRAT. This malware will shoot its own code into a process called 'aspnet _ compiler.exe' with the technique of replacing Process code with malware code or Process Hollowing to run it directly on memory, making it difficult to detect, followed by contacting the C2 or Command and Control server to send the victim system specifications back to the server and waiting for the next command from the server.

This malware can be called capable of desktop control, keylogging, RevereseShell, and running other payloads directly on memory. The research team found that the malware used this method to release malware type, use the victim's machine resources to mine Krypto Kerrenzi coins, or Crypto Miner.

The research team has warned that the genuine Windows screen does not command users to press the Edit button. The screen only shows error codes and warnings to reboot the system. If you find a screen with strange commands, do not believe and follow.

# Trending # Lemon 8 Howtoo # Drug sign with lemon8 # lemon 8 diary # freedomhack