Concrete signature match: Trojan - Appears legitimate but performs malicious actions for HTML/Web platform, family ClickFix
Trojan:HTML/ClickFix.HAB!MTB is a sophisticated HTML-based Trojan leveraging behavioral analysis for detection. It's designed to execute malicious code via utilities like Mshta, Regsvr32, Rundll32, and PowerShell, establish persistence through scheduled tasks and BITS jobs, and employ system hooking for evasion and control. The threat also exhibits capabilities for remote file manipulation, network configuration alteration, and file deletion.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
22f2a672f252b885ec3b6898323fcce8297e0425d8480bcd71f4b3863f759f3dImmediately isolate the affected system to prevent further compromise. Conduct a full system scan with updated antivirus software, then thoroughly investigate for persistence mechanisms (e.g., scheduled tasks, registry modifications) and signs of data exfiltration or lateral movement. Consider re-imaging the system if the extent of compromise is unclear or if sensitive data may have been affected.