Threat actors are getting clever with their tactics. They’re now using DNS queries in ClickFix social engineering attacks to deliver malware. This marks a new approach, as DNS is typically not seen as a channel for such activities.
ClickFix attacks usually trick users into running harmful commands by pretending to fix issues or installing updates. However, this new variant adds a twist: attackers use their own DNS servers to send malware during DNS lookups.
Malicious PowerShell Script Delivered via DNS
Microsoft has spotted this new ClickFix method. Victims are asked to run the nslookup command, which targets a malicious DNS server instead of the usual one. This server returns a PowerShell script that executes on the user’s device, installing malware.
Researchers from Microsoft highlight this alarming trend. They noted that attackers have found ways to disguise their actions by asking users to run a command that looks harmless.
While the specific bait to lure users isn’t clear, the attack uses the Windows Run dialog. The command initiates a DNS lookup for “example.com” against the attacker’s DNS server, executing the returned response through the command interpreter.
The response includes a “NAME:” field that delivers the second stage of the attack, a malicious PowerShell payload. Even though this server is no longer active, the script downloaded additional malware from the attackers’ infrastructure.
This attack typically ends with a ZIP file containing a malicious Python executable. This executable performs reconnaissance on the infected system and sets up persistence by creating startup files, ensuring the malware runs whenever the device is restarted.
The final payload is a remote access trojan known as ModeloRAT. This allows attackers to control the compromised system remotely. Using DNS for the attack not only hides the malicious activity among regular DNS traffic but also allows for easy adjustments to the payloads.
Evolving ClickFix Attacks
ClickFix attacks are evolving rapidly. In the past year, attackers have tried many new delivery methods and payloads against various operating systems. Earlier campaigns often required users to directly run PowerShell or shell commands to install malware.
Recently, a ClickFix variant named ConsentFix was discovered. It hijacks Microsoft accounts without needing a password, avoiding multi-factor authentication (MFA). This represents a significant shift in the capability of threat actors.
With AI language models becoming more prevalent, attackers are now exploiting platforms like ChatGPT and Grok to spread fake guides for ClickFix attacks. Some of the latest campaigns even exploited Pastebin comments to trick cryptocurrency users into running malicious JavaScript on exchange websites, hijacking transactions instead of deploying malware.
This illustrates a worrying trend: attackers are getting more sophisticated and creative. As threats evolve, both individuals and organizations must stay vigilant to protect their systems and information.
For further reading on cybersecurity trends, you can follow insights from trusted sources like the Cybersecurity & Infrastructure Security Agency (CISA) for the latest updates and tips.
