We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/ClickFix.ZAB
Aliases: No associated aliases
Summary
Behavior:Win32/ClickFix.ZAB is not a classic malware, but a name given to a sophisticated social engineering technique that aims to trick the targets into voluntarily initiating a chain of infection through manipulation. The attack presents itself as a fake error message, a CAPTCHA, or a phony urgent security warning. The targets surf low reputation or malicious websites, prior to receiving pop-up warnings.
The foundation of the technique is based on a social engineering tactic with hybridized clipboard hijacking to place a malicious command on the victim's clipboard, the user is then instructed to open the Windows Run dialog (Win + R) to paste (Ctrl + V) and run a command. The command uses living-off-the-land binaries (LOLBins) such as mshta.exe, PowerShell, curl.exe, etc. to deliver and launch final payloads.
- Disconnect the infected computer from all networks, including wired, Wi-Fi, and Bluetooth, to prevent further communication with C2 servers and halt data exfiltration.
- Manually inspect and clean the Windows Registry, specifically checking for and deleting any unauthorized Run keys, such as HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater
- Open the Windows Task Scheduler and thoroughly review the task library, removing any malicious scheduled tasks created for persistence, including those named "ScheduledDefrags" or "Update-out-of-date-20240324001883765674".
- Navigate to and examine key file system locations, including the %TEMP% and AppData\Roaming directories, and permanently delete any suspicious files or folders identified in threat reports, such as client32.exe or gehoas.log.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
