ClickFix ’n’ Steal: When “Verify You’re Human”

7 May

The Funny Summary

This one’s the cyber equivalent of a dodgy bouncer outside a perfectly normal WordPress site: “Just tick this totally-legit Cloudflare box, mate.” Next thing you know, the page has been overwritten by a fake verification prompt, your clipboard gets “helpfully” loaded with a PowerShell command, and you’re being sweet‑talked into running it as admin—because nothing says “security” like DIY malware installation. The payoff for the attacker is Vidar Stealer, a Windows info‑stealer that nicks credentials, browser data, crypto wallets and system info, then chats back to its command‑and‑control using web traffic that tries to blend in.

The (5) Takeaways

What’s happening (AU focus): ASD’s ACSC has observed ClickFix activity using compromised WordPress infrastructure to distribute Vidar Stealer, targeting Australian infrastructure and organisations across multiple sectors.
The trick (social engineering): The technique relies on deceptive verification prompts—fake CAPTCHAs—to convince users to execute malicious commands or scripts, using user-driven execution to bypass some preventative controls.
How the chain starts (compromised sites): Attackers inject a malicious payload delivery domain into a compromised website, load JavaScript from an external API server, and overwrite the legitimate page content to present a fraudulent Cloudflare verification prompt.
Clipboard + “run as admin” = trouble: The malicious JavaScript retrieves additional content (including a PowerShell command), copies it to the user’s clipboard, then prompts the user to manually execute it with administrative privileges.
Why Vidar matters (impact): Vidar Stealer can exfiltrate credentials, browser data, cryptocurrency wallets, and system information—enabling follow‑on malicious activity; ACSC notes it primarily targets Windows systems.