Secretive FileFix Campaign Utilizes Hidden Messages and Multiple Stage Payloads
In a recent development, a rare instance of the google activity campaign has been observed in the wild. This particular deployment deviates from the original attack proof of concept (POC), marking a significant evolution in the malicious my activity.
The new campaign employs a heavily obfuscated PowerShell chain that downloads and parses images to extract payloads. The images, in this case, hide a second-stage PowerShell script and encrypted executables. The obfuscated PowerShell one-liner in the attack chain reconstructs variables, downloads an image hosted on BitBucket, and extracts a plaintext second-stage script from a defined byte range.
The phishing site mimics a Meta support page and pressures users into an appeal flow that asks them to 'open File Explorer' and paste a path that is actually a payload. Once executed via conhost.exe, the extracted files lead to the deployment of StealC, an infostealer capable of harvesting data from browsers, cryptocurrency wallets, messaging apps, and cloud services. StealC can also act as a downloader, giving attackers flexibility to deliver additional malware.
Attackers are blending social engineering, obfuscation, and steganography to make detection more difficult. The site includes translations for 16 languages and multiple variants have been active in the last two weeks.
The Federal Office for Information Security (BSI) in Germany, an organization that specializes in cybersecurity, has reported about this new threat in an advisory document. Key recommendations from Acronis researchers include teaching users to avoid pasting commands into system dialogs or file upload address bars, blocking PowerShell, CMD, MSIEXEC or MSHTA processes launched from web browsers, and monitoring for unusual browser-child process activity across endpoints.
The surge in ClickFix-style attacks, which FileFix belongs to, has seen a dramatic increase by over 500% recently. The original FileFix proof of concept was published in early July by researcher Mr. d0x. This instance of the campaign underscores the rapid evolution of FileFix from a proof of concept to an active threat.
Security teams must stay alert and ensure users understand these emerging *Fix attack techniques. The unpredictable nature of these attacks underscores the importance of robust cybersecurity measures and ongoing user education.
Read also:
- JPMorgan Chase Announces Plans for a Digital Bank Launch in Germany's Retail Sector
- Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
- Latest Update in Autonomous Vehicle Sector featuring Applied Intuition, Hesai, Plus, Tesla, Pony.ai, and Wayve
- Challenges impeding the implementation of AI, as cited by Chief Information Security Officers, along with potential solutions
