Do not click — ever.
“If it looks like a duck,” starts the so-called Duck Test, then it’s probably a duck. And sometimes, cybersecurity threats are just as simple to detect. So it is with the ClickFix attacks now running riot across PCs worldwide. Forget the lure. If a popup window or website asks you to copy and paste text into a prompt, then don’t. It’s an attack.
The latest warning comes from the investigators at DomainTools, with “threat actors exploiting human trust” through “Prove You Are Human” malware. This is ClickFix meets CAPTCHA, the fiddly little tests that ask you to pick out bikes or rearrange the pieces of a jigsaw puzzle. The copy and paste is presented as the human test.
DomainTools warns it has unearthed a “malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines.” Those scripts “download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport remote access trojan (RAT).”
With ClickFix, the dangerous script isn’t copied and pasted by the victim, it’s hosted elsewhere and retrieved by more innocuous text that is copied and pasted. This second stage, “also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host.”
DomainTools being DomainTools, the team investigated and uncovered a broader malware ecosystem underpinning these attacks, with a raft of malicious domains registered for that purpose. This includes “Docusign spoofed websites,” crafted to trick users into thinking a form or install page is legitimate.
New ClickFix ecosystem
One such example, docusign.sa[.]com/verification/s.php, was encoded with a cipher “to avoid signature detections and obfuscation.” In this case, that’s ROT13, “in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.”
The page presented back to the victim “is designed to look like a Cloudflare ‘Checking your browser’ / CAPTCHA page, mixed with Docusign branding.” This leads to so-called Clipboard Poisoning, which secretly copies text to the clipboard without the user realizing. “The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window Run prompt, copy in the malicious script, and run it.”
Fortunately, all these ClickFix attacks do require you to open a prompt, paste in text and then hit Enter. The obfuscation might disguise the lead-up to the attack, but if you know never to paste and execute and such command regardless of the lure, you will be protected from these attacks. DomainTools says this latest attack “capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.” But if you can’t be tricked into the final act, you’re fine.
In its latest report, Gen (the company behind Norton and Avast) warns “the most dangerous attacks aren’t always the ones that sneak in unnoticed — they are often the ones that make you open the door yourself. Scam-Yourself Attacks rely on well-crafted social engineering tactics, designed to trick users into infecting their own devices.”
But again, while “ClickFix and FakeCaptcha continue to evolve,” including “interactive image-based CAPTCHAs mimicking the classical ‘select all the traffic lights’ puzzle.,” the net result is the same. “After selecting the image, the user is once again redirected to the common set of malicious steps which result in infecting the user’s device.”
Here are a list of other websites to look out for:
0xpaste[.]com
aitradingview[.]app
aitradingview[.]dev
batalia-dansului[.]xyz
battalia-dansului[.]com
betamodetradingview[.]dev
betatradingview[.]app
betatradingview[.]dev
charts-beta[.]dev
codepaste[.]io
dans-lupta[.]xyz
dev-beta[.]com
devbetabeta[.]dev
devchart[.]ai
developer-ai[.]dev
developerbeta[.]dev
developer-beta[.]dev
developer-mode[.]dev
developer-package[.]dev
developer-update[.]dev
devmodebeta[.]dev
devmode-beta[.]dev
devtradingview[.]ai
devtradingview[.]net
dev-update[.]dev
docusign[.]sa[.]com
docusign[.]za[.]com
docusimg[.]sa[.]com
docusingl[.]sa[.]com
docusingle[.]sa[.]com
gitcodes[.]app
gitcodes[.]io
gitcodes[.]net
gitcodes[.]org
gitpaste[.]com
givcodes[.]com
hubofnotion[.]com
jeffsorsonblog[.]dev
loyalcompany[.]net
mhousecreative[.]com
modedev[.]ai
modedeveloper[.]ai
modedeveloper[.]com
modedevs[.]ai
nsocks[.]net
oktacheck.it[.]com
pasteco[.]com
pastefy[.]com
pastefy[.]net
pastefy[.]pro
tradingviewai[.]dev
tradingview-ai[.]dev
tradingviewbeta[.]dev
tradingview-beta[.]dev
tradingviewdev[.]com
tradingviewindicator[.]dev
tradingviewtool[.]com
tradingviewtoolz[.]com
tradingviewtradingview[.]dev
updatebeta[.]app
