Thousands of compromised websites abused by DriveSurge in active ClickFix and FakeUpdates campaigns

• SilentPush researchers uncovered DriveSurge, a large‑scale ClickFix campaign
• Victims are profiled and served either ClickFix or FakeUpdates
• Access is later sold on the dark web

An ongoing ClickFix campaign has infected thousands of computers with backdoor malware. This is according to security researchers SilentPush, who said the threat actors are selling the access on the dark web.

The campaign, dubbed DriveSurge, starts on poorly secured websites, where criminals inject malicious scripts. These scripts act as lightweight beacons, passing visitor data to a remote Traffic Distribution System (TDS) called zTDS. There, the visitors are evaluated and if deemed a target, the zTDS server instructs the script to load a ClickFix overlay.

Bots and researchers are served the legitimate webpage to avoid being detected.

Thousands of websites used

Depending on the profiling, the victims can be served either ClicFix or FakeUpdates. The goal is the same – the execution just slightly varies. In both cases, the victims are shown a problem (for example, their browser is outdated). In ClickFix, they are offered a solution (copying and pasting a command into the Windows Run or Terminal programs), while in FakeUpdates, they are directly served an executable that installs the malware.

In both cases, the victims end up with a backdoor that grants the attackers unabated access to the target’s system. They later sell it on the dark web to other groups, who can use it for different things, such as data exfiltration, identity theft, wire fraud, or ransomware.

The exact number of websites being leveraged in this campaign has not been shared. However, SilentPush said the attackers compromised “thousands” of websites, and that the entire DriveSurge campaign is working at a very large scale. “Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push said in the report.

Defending against ClickFix and FakeUpdates attacks is rather simple – only download updates from reputable sources and never paste commands in Run and Terminal at a website’s request.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.