Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Background
ClickFix has quickly become a rampant social-engineering tactic. First observed back in October 2023, it aims to trick users into pasting commands into the run dialog box under the guise of verifying the user’s connection and authenticity to the domain. Given its ease of use and ability to bypass technical security measures, adoption of ClickFix has been growing at an alarming rate. [1]
Executive Summary
This investigation began after a user was observed navigating to a legitimate website that prompted the user with a fake Captcha prompt. Once the Fake Captcha prompt instructions had been performed, a curl command to a malicious domain led to malicious scripts and file downloads on the user’s asset. A threat actor is then observed performing domain level reconnaissance from the user’s machine before being caught and locked out by the LevelBlue MDR SOC team. This threat actor has been associated with the Interlock ransomware group, with Indicators of Compromise identified by the LevelBlue Open Threat Exchange (OTX) and other Open-Source Intelligence (OSI) sources such as Sekoia.
The Interlock ransomware group was first observed in September 2024. Unlike most ransomware groups seen today that employ Ransomware as a Service (RaaS) models, this was an independent group. They gained notoriety back in October 2024 when they claimed responsibility for the Texas Tech University Health Sciences Center incident that compromised the data of roughly 1.5 million patients.
In January 2025, researchers at Sekoia observed Interlock expanding their tactics and leveraging the Social Engineering technique now known as ClickFix. [2]
Investigation
The Level Blue MDR team observed two alarms on the same endpoint from Sentinel One which prompted further investigation. During the investigation, our analysts uncovered the threat actors’ tactics, techniques, and procedures (TTPs) and identified indicators of compromise (IOCs) associated with the Interlock ransomware group. Due to the swift action of the LevelBlue MDR team, the attack was contained, and the hashes from the investigation were added to the blocklist within SentinelOne. Click here to read the full blog and learn key takeaways from LevelBlue’s investigation, including recommendations to prevent these attacks from affecting your organization.
[2] https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar
Article Link: Stories from the SOC – ClickFix and Chill, Now | LevelBlue