A recent FileFix campaign has caught the attention of cybersecurity experts, showcasing a sophisticated attack strategy that conceals malicious scripts and executables within JPG images. This in-the-wild campaign, as detailed in a report by Acronis, tricks victims into pasting a malicious command into a file upload address bar, initiating a complex PowerShell chain that downloads and decrypts payloads hidden within images.
What sets this particular attack apart is its departure from the original proof of concept (POC). While ClickFix-style attacks have been on the rise, with a 500% increase recently, the FileFix campaign observed in the wild introduces new elements such as multilingual phishing pages, heavily obfuscated JavaScript code, and steganography techniques to obfuscate malicious code.
The phishing infrastructure used in this campaign mimics a Meta support page and guides users through a process that prompts them to paste a path in a file upload window, which is actually a payload. The site is available in 16 languages, indicating a global targeting strategy with multiple variants active over the past few weeks. This social engineering approach leverages common user behaviors, making it more convincing than traditional ClickFix attacks.
The attack chain starts with an obfuscated PowerShell script that downloads an image from BitBucket and extracts a second-stage script embedded within the image. This script uses encryption and compression techniques to extract and execute multiple files, ultimately leading to the deployment of StealC, an infostealer capable of extracting sensitive data from various applications and services.
To detect and mitigate such attacks, organizations are advised to enhance user training and implement technical defenses. Recommendations include educating users to avoid pasting commands into system dialogs, blocking specific processes launched from web browsers, and monitoring for unusual browser-child process activities. The rapid evolution of the FileFix campaign underscores the importance of staying vigilant and ensuring that users are equipped to recognize and respond to emerging attack techniques.
In conclusion, the FileFix campaign exemplifies the evolving landscape of cybersecurity threats, where attackers continually innovate to evade detection. By staying informed and implementing robust security measures, organizations can effectively defend against sophisticated attacks like FileFix.