• Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. • Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog. • ClickFix is an increasingly popular technique that’s traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that host fake CAPTCHA verification or instructions to address a non-existent problem on their computers by running a command either through the Windows Run dialog or the macOS Terminal app. • The attack method has become widespread over the past two years since it hinges on the victims infecting their own machines with malware, thereby allowing the threat actors to bypass security controls. • The effectiveness of ClickFix has been such that it has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix. • “In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X.
Article Summaries:
- Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog. ClickFix is an increasingly popular technique that’s traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that ho
Sources: