New FileFix attack uses cache smuggling to evade security software www.bleepingcomputer.com/news/secu…

A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victim’s system and bypassing security software. The new phishing and social engineering attack impersonates a “Fortinet VPN Compliance Checker” and was first spotted by cybersecurity researcher P4nd3m1cb0y, who shared information about it on X.

For those not familiar with FileFix attacks, they are a variant of the ClickFix social engineering attack developed by Mr.d0x. Instead of tricking users into pasting malicious commands into operating system dialogs, it uses the Windows File Explorer address bar to execute PowerShell scripts stealthily.

In the new phishing attack, a website displays a dialog that poses as a Fortinet VPN “Compliance Checker, directing users to paste what looks like a legitimate network path to a Fortinet program on a network share. While the lure displays the path " \Public\Support\VPN\ForticlientCompliance.exe,” when copied to the clipboard, it is actually much longer, as it is padded with 139 spaces to hide a malicious PowerShell command.

When the visitor accessed the phishing page containing the FileFix lure, the website executed JavaScript that instructed the browser to retrieve an image [jpg] file. This content is actually a zip file […], which is extracted to ComplianceChecker.zip and unzipped. As the HTTP response states that the fetched image is of type “image/jpeg”, the browser automatically caches it on the file system, treating it as a legitimate image file, even though it is not. As this was done before the PowerShell command was executed through File Explorer, the file already existed in the cache, and the zip file could be extracted from it. The script then launches the FortiClientComplianceChecker.exe executable from the extracted archive to execute malicious code.

“This technique, known as cache smuggling, enables the malware to bypass many different types of security products,” explains [cybersecurity researcher Marcus] Hutchins.

In addition to the new cache-smuggling FileFix variant, researchers at Palo Alto Unit 42 discovered a new ClickFix kit called the “IUAM ClickFix Generator,” which automates the creation of ClickFix-style lures.

Edward Kiledjian @ekiledjian