Microsoft Unveils New DNS-Based ClickFix Attack Exploiting Nslookup for Malware Deployment
Microsoft has recently disclosed a sophisticated evolution of the ClickFix social engineering technique, wherein attackers deceive users into executing commands that perform Domain Name System (DNS) lookups to fetch subsequent malicious payloads. This method leverages the nslookup command—a tool used to query DNS records—initiated through the Windows Run dialog to stage malware.
Understanding ClickFix Attacks
ClickFix attacks have gained prominence over the past two years due to their effectiveness in bypassing security controls by manipulating users into compromising their own systems. Traditionally, these attacks are delivered via phishing emails, malicious advertisements, or drive-by downloads, redirecting victims to deceptive landing pages. These pages often present fake CAPTCHA verifications or prompt users to resolve fictitious issues by entering specific commands into the Windows Run dialog or macOS Terminal.
The success of ClickFix has led to the emergence of several variants, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix, each employing unique methods to exploit user trust and system vulnerabilities.
The New DNS-Based ClickFix Variant
In this latest iteration, the attack initiates when a user executes a command via cmd.exe that performs a DNS lookup against a specified external DNS server, bypassing the system’s default resolver. The command filters the output to extract the ‘Name:’ DNS response, which is then executed as the second-stage payload.
Microsoft’s Threat Intelligence team highlighted this development, stating, In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver. The output is filtered to extract the ‘Name:’ DNS response, which is executed as the second-stage payload.
By utilizing DNS as a lightweight staging or signaling channel, attackers can reach infrastructure under their control and establish a validation layer before executing the second-stage payload. This approach reduces reliance on traditional web requests and helps blend malicious activity into normal network traffic, making detection more challenging.
Attack Chain and Payload Execution
Once the initial command is executed, the downloaded payload initiates an attack chain that leads to the retrieval of a ZIP archive from an external server, such as azwsappdev[.]com. Within this archive, a malicious Python script is extracted and executed to perform reconnaissance, execute discovery commands, and deploy a Visual Basic Script (VBScript). This VBScript is responsible for launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
Broader Implications and Variants
The evolution of ClickFix attacks underscores the adaptability of cybercriminals in developing new methods to exploit user behavior and system vulnerabilities. For instance, a recent campaign combined ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera. In this case, the attacker used the App-V script to control execution and avoid common, easily recognized execution paths, effectively transforming it into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component.
Another notable campaign employed the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc. The attack began with a phishing email containing an HTML attachment that, when opened, displayed an error message designed to trick users into copying and executing a malicious PowerShell command. This command downloaded and executed a PowerShell script hosted on an adversary-controlled SharePoint server, ultimately leading to the deployment of the Havoc Demon agent on the infected host.
Mitigation Strategies
To protect against such sophisticated attacks, users and organizations should adopt comprehensive security measures, including:
– User Education: Regularly train users to recognize and avoid phishing attempts and social engineering tactics.
– Email Filtering: Implement advanced email filtering solutions to detect and block malicious attachments and links.
– Endpoint Protection: Deploy robust endpoint protection solutions capable of detecting and mitigating malicious activities.
– Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected DNS queries to external servers.
– Regular Updates: Keep all systems and software up to date with the latest security patches to address known vulnerabilities.
By staying vigilant and implementing these strategies, individuals and organizations can reduce the risk of falling victim to evolving cyber threats like the DNS-based ClickFix attack.
