HeadlinesBriefing favicon HeadlinesBriefing.com

Russian Hackers Use Clickfix Attack

Ars Technica •
×

One of Russia's elite hacking groups, Sandworm, has adopted a technique known as Clickfix to compromise devices in Ukraine. This method involves attackers controlling websites that display a fake CAPTCHA, prompting visitors to copy and paste text into their terminal.

This text, however, contains malicious scripts designed to install malware or exfiltrate data. Ukraine's CERT center warns that Sandworm, part of Russia's military intelligence, has been employing Clickfix since spring, leading to network compromises. One such incident involved a device infected with Freaky Poll, a Sandworm custom malware package.

Ukrainian authorities identified 10 compromised websites displaying PowerShell commands as part of the fake CAPTCHA. Upon execution, these scripts could install malicious Visual Basic scripts and other malware, including reconnaissance programs that gather system information. Important machines would then receive further malware to backdoor the system. Tools like GHET TOVIBE and SCOUTCURL were identified as part of these malicious campaigns.