John Hammond Discusses New Filefix Attack Technique

In this video, John Hammond discusses a new attack technique called Filefix, an alternative to ClickFix. ClickFix is an attack method that tricks users into executing malicious software by following step-by-step instructions. Typically, this attack asks the victim to open the Windows "Run" dialog box by pressing the Windows key and the R key, then paste a malicious command previously copied to the clipboard. This technique relies on the victim's naivety but has been very effective in recent years. Hammond explains that Filefix uses a different approach to achieve the same goal. Instead of using the "Run" dialog box, this method exploits the address bar of Windows Explorer. When users download a file via a web browser, a Windows Explorer window opens to select the file. By navigating in the address bar at the top of this window, it is possible to execute commands by entering the full path of a program. For example, by typing "notepad" and pressing Enter, Notepad opens. Similarly, a malicious command can be executed. Hammond demonstrates how this technique can be implemented using an HTML element with an input type equal to "file". When the user clicks to download a file, the Windows Explorer window opens, and the user can be prompted to paste a malicious command into the address bar. This command can be hidden in the middle of a legitimate file path to deceive the user. Hammond shows a practical example using an HTML file that contains all the code necessary for this attack. The video also explores the practical implications of this technique. For example, attackers can use convincing pretexts to induce users to follow the instructions, such as pretending that a file has been shared with them. Hammond also discusses ways to block actual downloads to prevent users from noticing the deception. He mentions that executable files launched via the Windows Explorer address bar do not have the "Mark of the Web" attribute, which can bypass certain security measures. Hammond also addresses possible countermeasures. For example, defense teams can look for specific indicators, such as the execution of PowerShell commands or executables as child processes of web browsers. He mentions that tools like Microsoft Defender can already detect some variants of this attack. In conclusion, the video highlights a new social engineering technique that exploits the Windows Explorer address bar to execute malicious commands. This method, although simple, can be very effective if users are not vigilant. Awareness and education remain the best defenses against such attacks.