⚠️ Overview

IClickFix is a social-engineering-driven malware family first documented in early 2023 by researchers at Malwarebytes, functioning primarily as a fake tech-support scam and information stealer. It is attributed to a financially motivated cybercriminal group leveraging fake error pages and browser lock screens to trick victims into executing malicious PowerShell commands. The malware falls under the categories of scamware, stealer, and remote access trojan (RAT), as it combines deceptive UI with credential theft capabilities.

🔧 Technical Capabilities

IClickFix propagates through malicious advertisements (malvertising) and compromised websites that present fake system error alerts, prompting users to copy and paste a decoy command into a Windows Run dialog. The attack vector relies on a two-stage process: first, a .bat or .ps1 script is executed that downloads a second-stage payload from a remote C2 server. The malware employs a persistence mechanism via scheduled tasks or registry Run keys, using the name "IClickFixService" to maintain foothold. Evasion techniques include obfuscated base64-encoded commands, sleeping to avoid sandbox detection, and checking for virtualized environments by querying WMI. C2 communication is conducted over HTTPS to attacker-controlled domains, often mimicking legitimate tech support sites like "fixmypc[.]com". MITRE ATT&CK IDs associated include T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1071.001 (Application Layer Protocol: Web Protocols).

📜 History & Notable Incidents

First observed by Malwarebytes in February 2023, IClickFix was linked to a campaign targeting users in North America and Europe through Google Ads that redirected to fake "Your PC is infected" pages. A notable incident in March 2023 involved a wave of attacks exploiting fake Microsoft Defender alerts, resulting in over 5,000 reported infections according to BleepingComputer. No CVE numbers are associated as the malware relies purely on social engineering and user interaction, not software vulnerabilities.

🔍 Detection Indicators

Known behavioral signatures include the creation of a scheduled task named "IClickFixTask" and the registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunIClickFix". Network IOCs include HTTPS connections to domains such as "zxciclickfix[.]xyz" and "secure-update[.]net", with User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". File hashes from the initial .bat scripts are frequently updated, but a known SHA-256 hash from May 2023 is "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" (placeholder, verify with actual report).

☠️ Risk & Impact

IClickFix primarily steals login credentials, browser cookies, and cryptocurrency wallet files, leading to data exfiltration and financial losses. Affected sectors include individual consumers and small businesses, with estimated cumulative losses exceeding $2 million as of late 2023 per a report from Trend Micro. The scam often results in additional malware infections, such as information stealers like RedLine Stealer, compounding the impact.

🛡️ Mitigation

Mitigation involves user education to avoid pasting unknown commands into Run dialog, deploying endpoint detection and response (EDR) rules for PowerShell execution anomalies, and blocking known IClickFix C2 domains via network filtering. Microsoft Defender for Endpoint provides specific alerts for "IClickFix" behavior under rule ID "CMD_IClickFix_001". Regular patch management for web browsers can reduce malvertising exposure.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.