In recent months, a surge in social engineering techniques has raised alarms across cybersecurity communities. Among these methods, ClickFix has gained attention as a relatively simple but highly effective way to exploit unsuspecting users. If you’re not familiar with ClickFix, it’s a social engineering attack that prompts users to unknowingly execute malicious commands, typically using the Windows Run Dialog (Windows Key + R). While this technique has been surprisingly successful, it heavily relies on the Run Dialog, which some might argue is too basic or impractical. But the effectiveness of ClickFix cannot be denied.
However, as cybersecurity experts continue to adapt to new threats, one researcher decided to explore an alternative method to achieve similar results without relying on the traditional Run Dialog. Enter FileFix, a clever variation of ClickFix that bypasses some of the browser’s restrictions and manipulates users into executing OS commands—without ever leaving their browser window.
What is FileFix?
The idea behind the FileFix attack is simple yet innovative. It takes advantage of a common functionality in most browsers—the file upload feature. Users are familiar with file uploads: clicking an “Upload” button, browsing to a file, and then selecting it for upload. This functionality is found everywhere, from job application portals to online email clients, making it a well-understood feature. But what many don’t realize is that the File Explorer Address Bar (the place where users usually type or paste file paths) can also be used to execute OS commands. This particular feature is typically ignored by browsers, which makes it an effective target for social engineering.
In this method, an attacker can convince a user to open File Explorer through a file upload button and paste a maliciously crafted command into the address bar. The command will then execute without the user’s knowledge, potentially giving the attacker access to the system. The attacker can hide their malicious code behind what appears to be a harmless file path, such as C:\company\internal-secure\filedrive\HRPolicy.docx, while in reality, the path is appended with a PowerShell command, like:
Powershell.exe -c ping example.com # C:\\company\\internal-secure\\filedrive\\HRPolicy.docx
The attack takes advantage of a feature that many users aren’t aware of and could be incredibly difficult to detect using conventional security tools.
How Does FileFix Work?
The attack begins by creating a phishing page that prompts the user to interact with a file path. The phishing page will include an “Open File Explorer” button that, when clicked, triggers the File Explorer window to open. It also copies the malicious PowerShell command to the clipboard. When the user pastes the file path into File Explorer’s address bar, the command executes, and the attacker gains access.
Here’s the step-by-step breakdown:
- User interaction: The attacker’s phishing page asks the user to open File Explorer and enter a file path.
- Command hidden in plain sight: The file path is designed to look legitimate (e.g.,
C:\company\internal-secure\filedrive\HRPolicy.docx), but it secretly contains a PowerShell command after the file path (such as a command to ping an external server). - Execution through File Explorer: When the user pastes the path into the address bar and presses enter, the OS command executes, allowing the attacker to gain access to the system.
Blocking File Selection
An interesting part of the FileFix attack is the user’s ability to accidentally or intentionally select a file for upload, which could complicate matters for the attacker. However, in this case, the attacker has anticipated this by adding a script that blocks the file upload event. If the user selects a file, the attacker’s code will alert the user, clear the file input, and force the File Explorer window to reopen, thus ensuring the user doesn’t deviate from the intended steps.
Here’s the code snippet that blocks the file selection:
javascriptCopyfileInput.addEventListener('change', () => {
alert("Please follow the stated instructions.");
fileInput.value = "";
setTimeout(() => fileInput.click(), 500);
});
A Potential Security Concern
One critical aspect of the FileFix attack is that File Explorer can be used to execute commands without triggering security alerts in some cases. While this isn’t an entirely new concept, it’s certainly a new and creative way to leverage a well-known feature in a way that hasn’t been exploited as extensively before.
For instance, an attacker might attempt to download an executable file (such as payload.exe), copy its location to the clipboard, and then prompt the user to execute the command from the File Explorer address bar. This removes the “Mark of the Web” (MOTW) attribute that would usually appear for files downloaded from untrusted sources, making it more difficult for security tools to detect the file as malicious.
The Risks of FileFix
FileFix, much like ClickFix, is an attack that relies on social engineering. The attacker has to convince the user to follow seemingly innocent steps, such as opening File Explorer and pasting a file path. However, the attack could be much more effective if combined with other methods, such as phishing or malware delivery.
While this technique might seem fairly basic at first glance, its simplicity makes it a potent weapon in the arsenal of cybercriminals. And because it takes advantage of browser functionality that is generally trusted, it could bypass some of the security controls we commonly expect to be in place.
Mitigating the FileFix Attack
While there’s no foolproof way to prevent all social engineering attacks, there are some steps that can help minimize the risk of falling victim to FileFix:
- Educate Users: Make sure employees or users understand the dangers of clicking on suspicious links or interacting with unknown websites. Cybersecurity training should include awareness of phishing tactics and how to recognize suspicious behavior.
- Endpoint Security: Always ensure that endpoint protection tools are in place to detect and block malicious activities. These tools should be capable of recognizing suspicious PowerShell scripts or other abnormal processes running on a machine.
- Monitor Suspicious Activities: Regularly monitor systems for unusual activity, especially with respect to File Explorer, browser behavior, and any attempts to execute commands outside of normal user activity.
- Limit File Explorer Usage: Limit user access to File Explorer or restrict the use of browser-based file upload functionality to prevent unintended execution of commands.
- Browser Configuration: Configure browsers to block or restrict the use of the File Explorer address bar for executing OS commands, and disable features that could be used for similar attacks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
