Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
North Korean hacking group TA427, also known as Kimsuky, launched a ClickFix phishing campaign against think tank organizations between January and February that facilitated the deployment of the Quasar RAT trojan, while Iran-linked threat operation TA450, also known as MuddyWater, used the technique to compromise organizations across various sectors worldwide in November, according to an analysis from Proofpoint. Meanwhile, UNK_RemoteRogue, which is suspected to be of Russian origin, harnessed ClickFix in intrusions that involved the usage of breached Zimbra servers last year, said Proofpoint researchers, who also discovered that the group had similar infrastructure with a phishing campaign aimed at Ukrainian entities. "Although not a persistently used technique, it is likely that more threat actors from North Korea, Iran, and Russia have also tried and tested ClickFix or may in the near future," said Proofpoint.
North Korean hacking group TA427, also known as Kimsuky, launched a ClickFix phishing campaign against think tank organizations between January and February that facilitated the deployment of the Quasar RAT trojan, while Iran-linked threat operation TA450, also known as MuddyWater, used the technique to compromise organizations across various sectors worldwide in November, according to an analysis from Proofpoint. Meanwhile, UNK_RemoteRogue, which is suspected to be of Russian origin, harnessed ClickFix in intrusions that involved the usage of breached Zimbra servers last year, said Proofpoint researchers, who also discovered that the group had similar infrastructure with a phishing campaign aimed at Ukrainian entities. "Although not a persistently used technique, it is likely that more threat actors from North Korea, Iran, and Russia have also tried and tested ClickFix or may in the near future," said Proofpoint.
