Malware, Threat Intelligence

New ClickFix attack leverages WorkFlowy for stealthy malware delivery

Atos researchers have identified a new ClickFix attack that utilizes a modified version of the WorkFlowy application to act as a command and control beacon and a dropper for final malware payloads, as reported by The Hacker News.

The attack begins with a phishing website mimicking a CAPTCHA, prompting users to press Win + R and paste a command. This command maps a network drive from an external server, executing a batch script. This script then downloads a ZIP archive, unpacks it, and runs a legitimate WorkFlowy application. However, the application's core logic has been tampered with by injecting malicious code into an ".asar" archive. This allows the malware to execute with user privileges before the legitimate application fully initializes, acting as a C2 beacon and exfiltrating victim data.

The technique bypasses common security measures like Microsoft Defender for Endpoint by avoiding typical scripting engines and living-off-the-land binaries.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds