Atos researchers have identified a new ClickFix attack that utilizes a modified version of the WorkFlowy application to act as a command and control beacon and a dropper for final malware payloads, as reported by The Hacker News.The attack begins with a phishing website mimicking a CAPTCHA, prompting users to press Win + R and paste a command. This command maps a network drive from an external server, executing a batch script. This script then downloads a ZIP archive, unpacks it, and runs a legitimate WorkFlowy application. However, the application's core logic has been tampered with by injecting malicious code into an ".asar" archive. This allows the malware to execute with user privileges before the legitimate application fully initializes, acting as a C2 beacon and exfiltrating victim data.The technique bypasses common security measures like Microsoft Defender for Endpoint by avoiding typical scripting engines and living-off-the-land binaries.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




