Cyber: Microsoft Discloses Dns-based Clickfix Attack Using Nslookup For...
Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload.
Specifically, the attack relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog.
ClickFix is an increasingly popular technique that's traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that host fake CAPTCHA verification or instructions to address a non-existent problem on their computers by running a command either through the Windows Run dialog or the macOS Terminal app.
The attack method has become widespread over the past two years since it hinges on the victims infecting their own machines with malware, thereby allowing the threat actors to bypass security controls. The effectiveness of ClickFix has been such that it has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
"In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," the Microsoft Threat Intelligence team said in a series of posts on X. "The output is filtered to extract the `Name:` DNS response, which is executed as the second-stage payload."
Microsoft said this new variation of ClickFix uses DNS as a "lightweight staging or signaling channel," enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload.
"Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," the Windows maker added.
The downloaded payload subsequently initiates an attack chain that leads to the download of a ZIP archive from an external server ("azwsappdev[.]com"), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery commands, and drop a Visual Basic Script (VBScript) responsible for launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
To establish persistence, a Windows shortcut (LNK) file pointing to the VBScript is created in the Windows Startup folder so that the malware
Source: The Hacker News
