Threat Alert: FILEFIX VERIFICATION THREAT

• FileFix lures, an offshoot of ClickFix lures, attempt to disguise themselves as a CAPTCHA or simple verification process designed to allow users to bypass an issue.
• The end user is presented with a prompt instructing them to copy and paste a script that, unbeknownst to the end user, furthers the attack chain. 

How is it used in the wild?

• These lures have primarily been observed in web-based threats, where threat actors have compromised legitimate sites.
• Users who visited the sites were presented with a CAPTCHA challenge to verify that the user was human.
• To complete the verification, users were prompted to select a “complete verification button” that opened a window in Windows File Explorer and copied a malicious command to the user’s clipboard.
• Users were prompted to press CTRL+L, which jumps the user to the address bar, enabling the user to quickly type a new path or URL.
• Subsequently, the user is prompted to press CTRL+V, which led to a malicious PowerShell script running on behalf of the threat actor.
  

Key Action: Stay Alert!

• Avoid copy and pasting commands into File Explorer or the command line unless explicitly instructed by known internal IT personnel or user role required operations.