In the FileFix variation, the attacker weaponizes trusted Windows UI elements, such as File Explorer and HTML Applications (.HTA), to trick users into executing malicious PowerShell or JavaScript code without displaying any security warnings. This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks. In the recent Interlock attacks, targets are asked to paste a command disguised with a fake file path onto File Explorer, leading to the downloading of the PHP RAT from 'trycloudflare.com' and its execution on the system. Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems. Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka 'LandUpdate808') to deliver payloads through compromised websites. The ransomware operation leveraged ClickFix to infect targets, but its pivoting to FileFix indicates that the attacker is quick to adapt to stealthier attack methods. FileFix is a social engineering attack technique developed by security researcher mr.d0x. It's an evolution of the ClickFix attack, which became one of the most widely employed payload distribution methods over the past year. Earlier this month, a significant change in the delivery wrapper occurred, with Interlock now switching to the FileFix variation of the ClickFix method as the preferred delivery method. The trick led users to execute a PowerShell script that fetched and launched a Node.js-based variant of the Interlock RAT. Interlock ransomware launched in September 2024, claiming notable victims like the Texas Tech University, DaVita, and Kettering Health. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The string is a PowerShell command disguised to look like a file path using comment syntax. In June, researchers found a PHP-based variant of Interlock RAT used in the wild, which was delivered using the same KongTuke injector. Post-infection, the RAT executes a series of PowerShell commands to gather system and network information and exfiltrates this data as structured JSON to the attacker. The command and control (C2) server can send shell commands for the RAT to execute, introduce new payloads, add persistence via a Registry run key, or move laterally via remote desktop (RDP).
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 14 Jul 2025 18:40:19 +0000