Potential ClickFix Execution Pattern - Registry

 1title: Potential ClickFix Execution Pattern - Registry
 2id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
 3related:
 4    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
 5      type: similar
 6status: experimental
 7description: |
 8    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
 9    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
10    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
11    such as one-liners that execute remotely hosted malicious files or scripts.    
12references:
13    - https://github.com/JohnHammond/recaptcha-phish
14    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
15    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
16    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
17    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
18    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
19    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
20    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
21author: Swachchhanda Shrawan Poudel (Nextron Systems)
22date: 2025-03-25
23tags:
24    - attack.execution
25    - attack.t1204.001
26logsource:
27    category: registry_set
28    product: windows
29detection:
30    selection_registry:
31        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
32    selection_details:
33        Details|contains:
34            - 'http://'
35            - 'https://'
36    selection_susp_pattern:
37        - Details|contains:
38              # Add more suspicious keywords
39              - 'account'
40              - 'anti-bot'
41              - 'botcheck'
42              - 'captcha'
43              - 'challenge'
44              - 'confirmation'
45              - 'fraud'
46              - 'human'
47              - 'identificator'
48              - 'identity'
49              - 'robot'
50              - 'validation'
51              - 'verification'
52              - 'verify'
53        - Details|contains:
54              - '%comspec%'
55              - 'bitsadmin'
56              - 'certutil'
57              - 'cmd'
58              - 'cscript'
59              - 'curl'
60              - 'mshta'
61              - 'powershell'
62              - 'pwsh'
63              - 'regsvr32'
64              - 'rundll32'
65              - 'schtasks'
66              - 'wget'
67              - 'wscript'
68    condition: all of selection_*
69falsepositives:
70    - Legitimate applications using RunMRU with HTTP links
71level: high

References

• GitHub - JohnHammond/recaptcha-phish: Phishing with a fake reCAPTCHA

  

  Phishing with a fake reCAPTCHA. Contribute to JohnHammond/recaptcha-phish development by creating an account on GitHub.

  
  Read More

• DeepSeek Lure Used To Spread Malware | ThreatLabz

  

  Malicious actors are already creating fraudulent DeepSeek look-alike sites to spread malware using CAPTCHAs.

  
  Read More

• Clipboard hijacker tries to install a Trojan

  

  Criminals are attempting to get users to install malware from the clipboard.

  
  Read More

• Analysis http://sapeconomico.com/ Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• NetSupport RAT Clickfix Distribution

  

  THE THREAT Beginning in early January 2025, eSentire Threat Response Unit (TRU) observed an increase in the number of incidents involving the…

  
  Read More

• The Windows Foreniscs Journey — Run MRU (Run Dialog Box Most Recently Used)

  

  When using the “Run” command box (“Winkey+R”) users can directly launch programs or open files/folders. “Run” includes a dropdown list of…

  
  Read More

• Fix the Click: Preventing the ClickFix Attack Vector

  

  ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware.

  
  Read More

• Preventing Lnk and FakeCaptcha Threats: A System Hardening Approach

  

  LNK files have long been a preferred method for threat actors to deliver and execute malware. They often disguise LNK files to resemble…

  
  Read More

Related rules

• Suspicious ClickFix/FileFix Execution Pattern
• Suspicious Execution via macOS Script Editor
• Symlink Etc Passwd
• Suspicious Usage of For Loop with Recursive Directory Search in CMD
• Potentially Suspicious NTFS Symlink Behavior Modification