- Researchers from Hunt.io saw a Linux-based ClickFix attack
- At the moment, it is still harmless
- The researchers believe a Pakistani threat actor is behind the attacks
ClickFix, a type of attack that tricks people into running console commands to download malware, thinking they’re fixing a problem, is evolving once again.
This time, cybersecurity researchers from Hunt.io said they spotted the attack targeting Linux devices, as well.
Originally, ClickFix was designed for Windows devices but has, at some point, expanded into macOS, as well. Linux was, for the most part, spared. Until now.
ClickFix strikes Linux
ClickFix works in a simple way - a website is compromised and used to show a popup. That popup usually tells the visitor that they need to “update” their browser to view the content, or pass a CAPTCHA test to confirm that they’re human.
That “update” or “verification” process requires the user to copy a command to the clipboard, bring up the Run program (on Windows), paste and run it. It may sound like a stretch, but it’s relatively successful, since many cybersecurity companies have been warning about new ClickFix campaigns emerging left and right.
Hunt.io has attributed this newest string of attacks to a Pakistani threat actor called APT36, or Transparent Tribe. It uses a fake Ministry of Defense of India website, containing a link to a fake press release. When a victim tries to navigate to the press release, the site analyzes their OS, and then redirects them to the corresponding attack flow.
For Linux, the victims are redirected to a CAPTCHA page that copies a shell command when they click the “I’m not a robot” button. They are then asked to press ALT+F2 to bring up the Linux run dialog, and paste and run the command.
The good news is that the attack was spotted while still in experimental phase, meaning it hasn’t caused any significant damage, yet. Apparently, all the shell command does is download a harmless JPEG file. Things could turn sour at any point, however.
"No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution," the researchers explained.
Via BleepingComputer
You might also like
- US deportation airline GlobalX website defaced by hackers, data stolen
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
