Cybercriminals are exploiting fears of account suspension on Meta platforms to deploy the StealC malware through a deceptive FileFix attack targeting Facebook and Instagram users.
Cybercriminals are continuously evolving their tactics to target social media users, with Meta accounts serving as a prominent lure. The potential loss of access to platforms like Facebook or Instagram can have significant repercussions for both individuals and businesses, making users more susceptible to urgent security alerts. This vulnerability is precisely what the new FileFix campaign exploits, masquerading as routine account maintenance while concealing a malicious trap.
According to researchers at Acronis, a leading cybersecurity and data protection firm, the FileFix attack initiates with a phishing page that mimics a message from Meta’s support team. The message falsely claims that the user’s account will be disabled within seven days unless they view an “incident report.” Instead of providing a legitimate document, the page disguises a harmful PowerShell command as a benign file path.
Victims are instructed to copy this command, open File Explorer, and paste it into the address bar. Although this action appears harmless, it secretly executes code that triggers the malware infection process. This method is part of a broader category of attacks known as ClickFix, where individuals are deceived into pasting commands into system dialogs. The FileFix variant, developed by Red Team researcher mr.d0x, enhances this approach by exploiting the File Explorer address bar. In this campaign, attackers cleverly hide the malicious command behind long strings of spaces, making only the fake file path visible to the victim.
Once the victim executes the command, a hidden script downloads what appears to be a JPG image from Bitbucket. However, this file contains embedded code. Upon execution, it extracts another script and decrypts the final payload, successfully bypassing many security tools in the process.
The malware delivered through this campaign is known as StealC, an infostealer designed to collect a broad range of personal and organizational data. It targets browser credentials and authentication cookies from popular browsers such as Chrome, Firefox, and Opera. Additionally, StealC aims at messaging applications like Discord and Telegram, as well as cryptocurrency wallets including Bitcoin and Ethereum. The malware even attempts to compromise cloud accounts from services like Amazon Web Services (AWS) and Azure, along with VPN services and gaming accounts.
Acronis has reported that the FileFix campaign has already manifested in several different iterations over a short period, indicating that the attackers are actively testing and refining their methods to evade detection and enhance their success rates.
To protect against attacks like FileFix and prevent malware such as StealC from compromising sensitive information, users should adopt a combination of caution and practical security measures. It is crucial to remain skeptical of any message claiming that your Meta account or other services will be disabled imminently. Always verify alerts directly through official channels rather than clicking on links or following instructions from emails or web pages.
Furthermore, users should avoid pasting commands into system dialogs, File Explorer, or terminals unless they are entirely certain of their origin. FileFix thrives on the information it can extract from devices or linked accounts. Utilizing data removal services can significantly reduce the amount of sensitive personal information available online, thereby minimizing what attackers can exploit if they gain access.
While no service can guarantee complete removal of data from the internet, data removal services can actively monitor and systematically erase personal information from numerous websites, providing peace of mind. By limiting the information available, users can reduce the risk of scammers cross-referencing data from breaches with information found on the dark web.
Additionally, employing strong antivirus software can help detect malware like StealC before it fully executes. Many modern antivirus solutions include behavior-based detection that can flag suspicious scripts or hidden downloads, helping to catch threats even when attackers attempt to disguise their actions.
Using a reputable password manager can also mitigate risks by generating unique passwords for each site. This way, even if one browser or application is compromised, attackers cannot access accounts elsewhere. Users should also check if their email has been exposed in past breaches. Many password managers include built-in breach scanners that alert users if their email addresses or passwords have appeared in known leaks. If a match is found, it is essential to change any reused passwords and secure those accounts with new, unique credentials.
The FileFix campaign illustrates how cybercriminals continue to devise convincing scams that target social media users. While a fake Meta alert may seem urgent, taking a moment to pause before clicking or copying anything can serve as the best defense. By cultivating strong security habits and utilizing protective tools, users can significantly reduce their risk. Data removal services, antivirus software, and password managers each play a vital role in enhancing security. When combined, these measures make it considerably more challenging for attackers to convert a scare tactic into a genuine threat.
Should platforms like Meta take further action to warn users about these evolving phishing tactics? Share your thoughts by reaching out to us.
Source: Original article