Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family ClickFix
Trojan:Win32/ClickFix.R!ml is a sophisticated and confirmed malware that leverages multiple legitimate Windows binaries such as mshta, regsvr32, rundll32, and PowerShell for execution, evasion, and persistence. It exhibits advanced capabilities including API hooking for keylogging (WH_KEYBOARD), creating scheduled tasks, utilizing BITS jobs, and performing data encoding, indicating a clear intent for covert surveillance and system control.
Relevant strings associated with this threat: - !#HSTR:IntentBase64 (PEHSTR_EXT) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - regsvr32 (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - WH_KEYBOARD (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
Immediately isolate the affected endpoint from the network. Perform a full, deep system scan with updated antivirus software to remove the Trojan and any associated components. Manually investigate and remove any established persistence mechanisms (e.g., scheduled tasks, registry modifications). Reset all user credentials, especially if keylogging was active, and ensure the operating system and all applications are fully patched.