A newly discovered FileFix social engineering attack impersonates Meta account suspension warnings to trick users into unknowingly installing the StealC infostealer malware.
FileFix is a new variant of the ClickFix family of attacks, which uses social engineering attacks to trick users into pasting malicious commands into operating system dialog boxes as supposed "fixes" for problems.
The FileFix technique was created by red team researcher mr.d0x, and instead of convincing users into pasting malicious PowerShell commands into the Windows Run dialog or terminal, FileFix abuses the address bar in File Explorer to execute the commands.
This is not the first time FileFix has been used in attacks, with the Interlock ransomware gang previously using FileFix to install its remote access trojan (RAT). However, these earlier attacks utilized the original FileFix proof-of-concept (PoC), rather than evolving it with new lures.
New FileFix campaign
The new campaign, discovered by Acronis, uses a multi-language phishing page that poses as Meta's support team, warning recipients that their account will be disabled in seven days unless they view an "incident report" allegedly shared by Meta.
However, this report is not actually a document, but a disguised PowerShell command used to install malware on targets' devices.
The phishing page tells users to click the "Copy" button to copy what appears to be a file path, click on the open File Explorer button, and then paste the path into the File Explorer address bar to open the document.
However, clicking the Copy button actually copies a PowerShell command with added spaces into the Windows clipboard, so that only the file path is shown when pasted into File Explorer.
"In order to trick the user into thinking that they are pasting the path to an 'incident report' PDF file, the attacker has placed a variable at the end of the payload, which contains a lot of spaces and the fake path at the end," explains Acronis.
... continue reading