Ethical Hacking News
A new social engineering campaign using steganography has been discovered, tricking users into installing the StealC infostealer malware on their devices. Stay ahead of the threat by understanding the tactics behind FileFix and how you can protect yourself.
The FileFix attack represents a significant advancement in social engineering tactics, leveraging steganography to trick users into installing malware on their devices. The attack is a variant of the ClickFix family, but uses PowerShell commands instead of executing malicious commands from the address bar. The phishing page tricks users into clicking a "Copy" button to paste a PowerShell command with added spaces into the Windows clipboard. The attackers use a variable at the end of the payload to trick users into thinking they are pasting a harmless file path, without revealing any malicious commands. The FileFix campaign uses steganography to hide malware inside what appears to be a harmless JPG image hosted on Bitbucket. The final payload is the StealC infostealer malware, designed to steal various types of data from infected devices.
The world of cybersecurity is ever-evolving, and a new threat has emerged that showcases the cunning and creativity of cyber attackers. The newly discovered FileFix attack represents a significant advancement in social engineering tactics, leveraging the power of steganography to trick users into installing malware on their devices.
According to recent reports from Lawrence Abrams, a renowned expert in Windows and malware removal, the FileFix attack is a variant of the ClickFix family of attacks. However, unlike its predecessors, which used the address bar in File Explorer to execute malicious commands, the FileFix technique exploits the abuse of the address bar to trick users into executing PowerShell commands.
The attack begins with an email or message that appears to be from Meta's support team, warning recipients that their account will be disabled in seven days unless they view an "incident report" allegedly shared by Meta. However, this report is not actually a document but rather a disguised PowerShell command designed to install malware on the target device.
The phishing page tells users to click the "Copy" button to copy what appears to be a file path, click on the open File Explorer button, and then paste the path into the File Explorer address bar to open the document. However, clicking the Copy button actually copies a PowerShell command with added spaces into the Windows clipboard, so that only the file path is shown when pasted into File Explorer.
The attacker has placed a variable at the end of the payload, which contains a lot of spaces and the fake path at the end. This is done to trick the user into thinking they are pasting the path to an "incident report" PDF file, without revealing any malicious commands. The use of a variable instead of the # symbol, which is taken by PowerShell as a developer comment, serves as an added layer of deception.
This FileFix campaign stands out from its predecessors because it uses steganography to hide both a second-stage PowerShell script and encrypted executables inside what appears to be a harmless JPG image hosted on Bitbucket. The first-stage PowerShell command unknowingly entered by the target downloads the image, extracts the embedded secondary script, which is then used to decrypt the payloads in memory.
The final payload is the StealC infostealer malware, designed to steal various types of data from infected devices, including:
* Credentials and authentication cookies from web browsers (Chrome, Firefox, Opera, Tencent, etc.)
* Credentials from messaging apps (Discord, Telegram, Tox, Pidgin)
* Cryptocurrency wallets (Bitcoin, Ethereum, Exodus, etc.)
* Cloud credentials (AWS, Azure)
* VPN and gaming apps (ProtonVPN, Battle.net, Ubisoft)
* Ability to take a screenshot of the active desktop
It is worth noting that multiple variants of this campaign were observed over two weeks, using different payloads, domains, and lures. The attackers are continually adapting and improving their tactics, making it essential for organizations to stay vigilant.
Acronis reports that throughout the investigation, they uncovered several iterations of the attack, tracing out an evolution of both the social engineering technique and the more technical aspects of the attack. While some may view this as indicative of an attacker testing out an infrastructure they plan to use in the future or iterating on an existing attack mid-campaign, others see it as a clear example of the escalating complexity of social engineering attacks.
Regardless of the motivations behind the FileFix campaign, one thing is certain: users must be more aware than ever of these new tactics. As ClickFix and FileFix techniques continue to evolve, organizations need to educate their employees on these emerging threats and provide them with the tools necessary to recognize and respond to them effectively.
In conclusion, the newly discovered FileFix attack showcases a sophisticated and creative approach to social engineering, leveraging steganography to trick users into installing malware. As this threat continues to spread, it is crucial for organizations and individuals alike to stay informed and take proactive steps to protect themselves against these evolving attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-FileFix-Attack-A-Sophisticated-Social-Engineering-Campaign-Using-Steganography-to-Drop-Malware-ehn.shtml
Published: Tue Sep 16 07:51:39 2025 by llama3.2 3B Q4_K_M
