ClickFix Social Engineering Attacks and Vidar Stealer Protection

Overview

Australian Cyber Security Center (ACSC) has launched a new program targeting organizations called 'ClickFix'. warned of a social engineering campaign. This attack method tricks users into running the Vidar Stealer malware by making them believe they are performing a legitimate bug fix. Vidar Stealer is an information stealer capable of stealing browser data, crypto wallets, and sensitive system information.

Attack Mechanism

Attackers display a fake error message in the victim's browser. The user is told that he or she must run a script to 'fix' this error. When the user runs the PowerShell command via copy-paste, Vidar Stealer is loaded in the background.

Solution and Defense Steps

1. PowerShell Restrictions: Restrict the use of PowerShell in corporate environments or allow only signed scripts to run.
2. Email Filtering: Advanced to block phishing emails containing 'ClickFix' templates use email security gateways.
3. Endpoint Protection (EDR): Configure EDR solutions to monitor and block suspicious PowerShell processes.

Sample PowerShell Restriction Command

The following command blocks unsigned scripts from running by changing PowerShell's execution policy to 'AllSigned':

Set-ExecutionPolicy AllSigned -Scope LocalMachine

Warning: PowerShell restrictions may affect how your system management tools work. Verify in the test environment before implementation.

Detection and Monitoring

Examine system logs to detect attacks. In particular, check whether powershell.exe processes are running with unusual parameters (for example -nop -w hidden -enc).

You can also use the following command to monitor suspicious network connections:

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'}

This type of attack proves once again that user awareness is as important as technical measures. Provide regular training to your staff that they should never run 'error correction' commands coming through the browser.