Lucky Volunteer

The ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents, HTML attachments, malicious URLs, etc.

On 20 September 2024, Proofpoint researchers identified a campaign delivering Brute Ratel C4 and Latrodectus... and contained HTML attachments.

This dialog box includes instructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell.

If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script which used Bits transfer to download and run a malicious payload, suspected to be Lucky Volunteer.

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer.

When opened, the HTML attachment displayed a dialogue box with instructions... When clicked, base64 encoded PowerShell was copied, and the user was presented with another dialogue box that instructed the user to open Run, paste, and execute the command.

If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script which used Bits transfer to download and run a malicious payload, suspected to be Lucky Volunteer.

If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script which used Bits transfer to download and run a malicious payload, suspected to be Lucky Volunteer.

If the user performed the requested steps, PowerShell code was executed to download an executable that led to the installation of Lumma Stealer.