In a concerning development, Ukraine’s cybersecurity authorities have reported that one of Russia’s elite hacking groups, known as Sandworm, is employing a novel attack technique called Clickfix. This tactic primarily targets sensitive organizations within Ukraine and has raised alarms due to its sophisticated approach to compromising devices.
The Rise of Clickfix
Clickfix has gained traction in the cybercriminal landscape over the past year, primarily among financially motivated adversaries. According to Ukraine’s Computer Emergency Response Team (CERT), the technique employs a deceptive CAPTCHA mechanism to lure users into executing malicious scripts. When a user visits an infected website, they encounter a CAPTCHA that instructs them to copy and paste a jumbled text. This text contains scripts that, upon execution, lead to the installation of malware or the exfiltration of sensitive information.
COMPROMISES AND MALWARE DEPLOYMENT
Since its emergence in spring, Clickfix has successfully breached at least one prominent organization, unveiling a significant compromise of connected devices. This breach was tied to a custom malware strain named FreakyPoll, which is part of Sandworm’s arsenal. Ukrainian authorities discovered approximately ten websites that employed a fake CAPTCHA mechanism, which showcased a PowerShell command designed to deceive users into executing it as a part of the CAPTCHA validation process.
Understanding the Attack Flow
Once a user enters the malicious script, serious repercussions unfold. The script deploys various malicious Visual Basic scripts, which then introduce a range of Sandworm malware onto the device. The initial wave of malware typically includes reconnaissance tools aimed at gathering intelligence from the infected system. Following this reconnaissance phase, systems considered critical may be subjected to further intrusions via follow-on malware.
Malicious Capabilities of Sandworm
The advisory from Ukraine’s CERT elaborates on the capabilities of the malicious software employed in these attacks. For instance, one command could manipulate files in the Startup directory, while others were tailored to determine the importance of the infected machine. The tool known as GHETTOVIBE, for example, was designed to load and save files based on the specific configurations of the target device. Another tool named SCOUTCURL is utilized for basic reconnaissance, gathering vital information such as system characteristics, installed programs, and even browser data, all of which are subsequently exfiltrated for malicious use.
Cybersecurity experts around the world stress the importance of remaining vigilant against such advanced persistent threats. Sandworm’s Clickfix attacks illustrate not only the sophistication of contemporary cyberattacks but also the evolving methods used by nation-state actors to infiltrate networks and compromise critical infrastructures.
For more detailed insights on Sandworm and their tactics, visit the source: Here.
Image Credit: arstechnica.com






