A novel variant of the ClickFix social engineering campaign is now leveraging a custom DNS hijacking tactic to propagate malware. This sophisticated attack exploits DNS queries to execute further infection stages, effectively evading conventional detection mechanisms by blending into standard network operations.
How ClickFix Attacks Deceive Users
ClickFix attacks employ deception through fake error alerts, such as counterfeit CAPTCHA challenges or misleading ‘fix this issue’ prompts on compromised web pages. These tactics manipulate users into copying a specific script to their clipboard and executing it via basic system dialogs like the Run command or PowerShell.
While earlier versions like CrashFix used fake browser crashes to create urgency, the latest iteration employs an advanced evasion technique involving the Domain Name System (DNS). This method facilitates the attack’s stealth and efficacy.
The Technical Evade Strategy
Upon execution of the initial harmful command, the script uses cmd.exe to perform a DNS lookup directed at an attacker-controlled server, bypassing the system’s usual internet resolver. The script analyzes this DNS response, specifically extracting data from the Name: field, which contains the code for the subsequent payload stage.
This innovative approach transforms DNS into a lightweight staging environment, enabling attackers to verify target activity before deploying more substantial malware components. Given the ubiquitous nature of DNS traffic in networks, this method effectively conceals malicious actions.
Infection Process and Impact
Microsoft Defender researchers have noted that following the DNS-triggered second stage, the attack sequence downloads a ZIP archive with a portable Python setup. The malicious Python script executes to perform host and domain reconnaissance, ensuring continued access by deploying a VBScript and establishing a shortcut named MonitoringService.lnk in the Windows Startup directory.
The campaign’s final payload is a Remote Access Trojan (RAT) known as ModeloRAT, which is detected and neutralized by Microsoft Defender Antivirus under the threat signature Trojan:Win32/ClickFix.R!ml. This threat highlights the importance of robust cybersecurity measures to counter evolving attack strategies.
Stay updated on the latest cybersecurity news by following us on Google News, LinkedIn, and X. Reach out to feature your stories.
