Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload.
Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog.
ClickFix is an increasingly popular technique that’s traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that host fake CAPTCHA verification or instructions to address a non-existent problem on their computers by running a command either through the Windows Run dialog or the macOS Terminal app.
The attack method has become widespread over the past two years since it hinges on the victims infecting their own machines with malware, thereby allowing the threat actors to bypass security controls. The effectiveness of ClickFix has been such that it has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X. “The output is filtered to extract the `Name:` DNS response, which is executed as the second-stage payload.”
Microsoft said this new variation of ClickFix uses DNS as a “lightweight staging or signaling channel,” enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload.
“Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic,” the Windows maker added.
The downloaded payload subsequently initiates an attack chain that leads to the download of a ZIP archive from an external server (“azwsappdev[.]com”), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery commands, and drop a Visual Basic Script (VBScript) responsible for launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
To establish persistence, a Windows shortcut (LNK) file pointing to the VBScript is created in the Windows Startup folder so that the malware is automatically launched every time the operating system is started.Â
The disclosure comes as Bitdefender warned of a surge in Lumma Stealer activity, driven by ClickFix-style fake CAPTCHA campaigns that deploy an AutoIt-version of CastleLoader, a malware loader associated with a threat actor codenamed GrayBravo (formerly TAG-150).
CastleLoader incorporates checks to determine the presence of virtualization software and specific security programs before decrypting and launching the stealer…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
