Russian Hacking Group Targets Ukrainian Organizations with Clickfix Technique
A prominent hacking group linked to the Russian government has recently deployed a sophisticated cyberattack technique known as Clickfix, which has raised alarms among cybersecurity experts in Ukraine. The country’s Computer Emergency Response Team (CERT) has issued warnings about this method, which is now being utilized to compromise devices connected to sensitive organizations.
Clickfix, a technique that gained traction over the past year primarily among financially motivated cybercriminals, involves the use of manipulated websites controlled by the attackers. When users visit these sites, they encounter a CAPTCHA that instructs them to copy a jumbled text and submit it into a command terminal. This text may contain malicious scripts designed to install malware or extract confidential data.
According to CERT, the notorious hacking unit Sandworm—affiliated with Russia’s military intelligence agency, the GRU—has adopted this technique in its operations. This development underscores the evolving landscape of cyber threats, particularly in light of ongoing geopolitical tensions.
The Clickfix attacks are not a recent phenomenon; they began in the spring and have persisted throughout the summer months. Reports indicate that at least one organization in Ukraine suffered network compromise due to this method, where a connected device was found to be infected by a custom malware variant known as FreakyPoll. Ukrainian investigators identified ten compromised websites that employed deceptive CAPTCHAs to trick users into executing harmful PowerShell commands.
These commands facilitate the execution of malicious Visual Basic scripts along with other intrusive software tailored by Sandworm. Upon entering the provided script, the initial malware typically functions as a reconnaissance tool that gathers vital information from the host device. Subsequent malware is then deployed to establish persistent access and conduct further exploitation.
For instance, the implanted command could involve actions such as loading and saving a VBS file in the system’s Startup directory. One notable variant associated with these operations has been dubbed GHETTOVIBE, while additional software tools like SCOUTCURL have been observed executing reconnaissance tasks. SCOUTCURL collects a range of information, including system characteristics, installed programs, and internet browsing data, which feeds into a broader understanding of the target’s infrastructure.
This incident highlights the importance of vigilance among organizations, particularly those operating within vulnerable sectors. It’s critical for business owners to recognize that the MITRE ATT&CK framework can provide valuable insights into the tactics and techniques employed by these adversaries. Techniques potentially utilized in these recent attacks include initial access through social engineering and subsequent persistence methods, underscoring the need for proactive cybersecurity measures and employee training.
In light of these developments, organizations must prioritize comprehensive cybersecurity strategies that encompass threat detection, incident response planning, and employee awareness training. The ongoing sophistication of cyberattacks serves as a stark reminder of the evolving nature of threats that can affect any organization, regardless of its sector.